PrivacyPlace fisks HealthVault

Whether HealthVault delivers on its promises is not the issue. The issue is whether anyone should trust Microsoft with their health information based on current privacy statements.

Microsoft HealthVault home page image closeupThe term fisking, a detailed rebuttal of someone else's statements and assertions, is fairly common to blogging but uncommon in health care.

Today The Privacy Place gave a good fisking to Microsoft's HealthVault.

The group's problems are these:

  1. HealthVault is not covered by HIPAA, only its own privacy statement.
  2. The privacy statement lets HealthVault move your data offshore, where there is no privacy protection.
  3. HealthVault will not promise to keep your health data separate from other data Microsoft may have on you.
  4. HealthVault access controls are easy to legally breach. If you give someone else permission to access your records, they can have them all, even change them.

It should be noted that these are not technical problems, but legal and ethical problems. Whether HealthVault delivers on its promises is not the issue. The issue is whether anyone should trust Microsoft with their health information based on current privacy statements.

The answer The Privacy Place delivers is a resounding no.

This is not just some blogger talking. The Privacy Place has a dozen major authors, and this piece was written by director Annie Anton. It is sponsored by the National Science Foundation and a unit of North Carolina State University.

It's pretty amazing that Microsoft either did not contact these people, or did not run their policies by them, before launching. Microsoft did considerable homework in advance of this launch, and the company knows its privacy policies are suspect. Microsoft also has many lawyers.

It's the kind of fiasco that could set the movement toward electronic health records back years. That kiss on the top of the HealthVault home page could prove the kiss of death.