This is a weird time between US administrations. Senator Daschle is shopping for new hand towels for the Humphrey Building, and Secretary Leavitt is packing up his banker’s box. It’s a time when we get a lot of last-minute attempts to squeeze in that one last bit of policy – often rushed and poorly thought through (auto bailout, helloooo?). In the midst of this environment, I was surprised and pleased when I saw the Secretary’s “Nationwide Privacy and Security Framework” paper that was released on Monday.
This framework is exactly the kind of action that I wish we got more of from government. It describes simple, conceptual, clear principles that citizens should demand of electronic information exchange – without trying to dictate specific features, technical architectures or business models.
Of course, I also like it because HealthVault measures up to the yardstick exceptionally well. Privacy and security of our users’ information has been a cornerstone of our systems and strategy from day one:
Virtually all of our work over the last year has been to find more automated and efficient ways of helping individuals collect and organize their personal health information. From fax and file uploads, to paper translation partners like UNIVAL, to dozens of clinical connectivity projects, we are doing everything we can to make sure that individuals have the access they need to take charge of their health.
HealthVault users have complete control over their information and can correct anything they believe to be erroneous within their own records. We also encourage our clinical partners to accept information from individuals – appropriately attributed – to make their own records more complete and correct.
Openness and Transparency
The granular authorization model behind HealthVault allows users to choose exactly who they want to see their information, and exactly which parts of the information to share. Nothing is ever shared without specific consent. This combination of flexible, granular rules and explicit opt-in is the magic that we believe will result in real progress.
Collection, Use and Disclosure Limitation
Our partners are obligated to explain to users in a consistent way exactly why they need each type of information they request. Both our and our partners’ privacy policies explicitly state the purpose for which data may be used.
Data Quality and Integrity
Our immutable audit trail and support for digitally-signed information in HealthVault delivers an unmatched ability for recipients of information to judge its source and integrity. There is simply no other system available today that offers the level of assurance that HealthVault can in this regard.
HealthVault has been built according to the Microsoft Security Development Lifecycle, regarded as the state of the art in secure software development. Our systems are hosted in secure facilities, and all communication between our systems, internally and with the outside world, is fully encrypted. We conduct internal and independent security and privacy testing on an ongoing, continuous basis.
Microsoft Chief Software Architect Ray Ozzie sent me an email back before we launched HealthVault. He told me that I had better be doing a good job – because I had the reputation of Microsoft on my shoulders. That reputation is worth billions of dollars to our shareholders, and it’s hard for me to imagine a more direct accountability than that. We take it extremely seriously.
The hard times we are facing have an upside for healthcare – we simply no longer have the luxury of being lazy and inefficient with the way we manage care. Reliable, secure exchange of health information is critical to making real progress in cutting costs and improving quality. We think we’re doing our part, and are glad that Secretary Leavitt is doing his. I hope that Senator Daschle picks up the ball and starts running the same way next month.
The last piece has to come from care providers, payers, employers – all the folks involved in delivering care. The framework and technology are in place — it’s time to start sharing information, and time to start engaging patients as real participants. Demand patient-facing functionality from your vendors. Talk to your patients about how a PHR can help you provide them with better outcomes. And tell us what we need to do to make it easier – we are in.