In five years, the privacy debate over personal health records will be a over, and you and I will be storing our medical records at a central location. Why? Because the benefits of better care and less paperwork will outweigh our current fears about data breaches and inappropriate data sharing. Whether that central location will be Redmond, Mountain View or Boston will depend on whom we trust most with our medical information.
What is an electronic personal health record (PHR), anyway? I recently reviewed the specifications of five key players' platforms, and I'd say the prevailing model will have these six core features:
1. A single repository that integrates files of varying formats from multiple sources.
2. Files that are related in a way that provides cohesive, longitudinal records over time that are easily searchable.
3. The trust of doctors, who will believe the files are accurate and authentic.
4. Records that are understandable to the patient.
5. The ability for patients to add information and flag errors.
6. Patient control over who sees what.
I don't see these records being stored on cards we carry around, because I don't think cards can provide all of these features. These records are going to be Web-accessible databases stored on a server somewhere.
What kinds of records will they contain? The sky is really the limit on this question. Promised data sets include:
- Drug prescriptions, food and drug allergies, and immunizations.
- Past illnesses and hospitalizations.
- Results from tests, physical exams and clinical trials.
- Information from implanted medical devices.
- Health-insurance information and claims.
- Living wills and organ-donor instructions.
- Exercise and diet recordings.
- Genomic information.
With this kind of sensitive information concentrated in one place, privacy and security will become mission-critical. Repeated breaches could irreparably undermine confidence in and adoption of the system.
So, what if you took the most hardened privacy advocates, put them in a room, and told them they had to issue the ideal privacy and security requirements for these PHR platforms? What would they say?