Hippocrates Would Roll Over in His Grave: an Examination of Why Internet Health Care Programs Should Obtain Informed Consent from Their Users

• Publication year: 2022

42 Creighton L. Rev. 733. HIPPOCRATES WOULD ROLL OVER IN HIS GRAVE: AN EXAMINATION OF WHY INTERNET HEALTH CARE PROGRAMS SHOULD OBTAIN INFORMED CONSENT FROM THEIR USERS

Creighton Law Review

Vol. 42

I. INTRODUCTION

A study by Microsoft revealed that approximately eight million people do a health related internet search daily.(fn1) A poll from 2007 found that approximately seventy-six percent of adults who are fifty-five years old or older searched for medical diagnoses using the in-ternet.(fn2) From these searches alone, 500 million to one billion dollars were generated each year from the advertising that appeared during the searches.(fn3) A Microsoft executive estimated that the dollars generated from the aforementioned advertising would increase to five billion dollars within five to seven years.(fn4) Planning to make money from advertising which was to appear on its own search engine, Microsoft created HealthVault ("HealthVault") as an online, secure storage site for health information.(fn5) Microsoft created HealthVault to allow users to upload personal medical records to one location and to then share the medical records with their families, physicians, and programs that have teamed up with HealthVault.(fn6) A number of programs and websites joined HealthVault to provide services such as monitoring a variety of health information and creating health plans for users.(fn7)HealthVault created a convenient place to find and share medical information for an overall more effective health care experience.(fn8) Furthermore, there is no charge to use HealthVault for users, physicians, and programs that have teamed up with HealthVault.(fn9)

Additionally, Google's Chief Executive Officer, Eric Schmidt, stated that a health-related search is the most important internet search an individual can do.(fn10) Thus, Google was motivated to create a health-based internet program as well.(fn11) Google created a health-based internet program called Google Health, a health-based internet program, which allowed users to store medical records on an internet site.(fn12) Google Health also allows users to share medical records with third parties, such as their families, physicians, and programs.(fn13)Signing up for Google Health is free for users.(fn14) In 2008, Google made the majority of its earnings on advertising revenue that equated to twenty-one million dollars.(fn15) Unlike HealthVault, Google currently does not allow advertising on Google Health.(fn16) However, Google admitted that advertising may appear on Google Health in the future.(fn17)Schmidt also expressed hope that Google Health will generate revenue for Google if its users click on advertisements on other connected Google sites.(fn18)

Upon developing their patient health record systems, Microsoft and Google did not adequately address the privacy issues involved with uploading medical information to the internet.(fn19) Medical records contain a myriad of private information including radiology history, prescription drug information, blood-pressure results, lab results, and other personal medical history.(fn20) Many individuals are skeptical about putting such private, medical information in an electronic format because they fear the information will not be adequately protected.(fn21) Thus, Microsoft and Google attempted to assure HealthVault and Google Health users that the users' information would remain secure.(fn22) Noting the importance of maintaining security of their user's health information, Microsoft and Google both claim their sites, HealthVault and Google Health respectively, are safe and secure.(fn23) In privacy statements associated with HealthVault and Google Health, Microsoft and Google emphasized that the user controls who accesses the user's information and what information is uploaded to the user's account.(fn24) Further, the first line of HealthVault's privacy statement states, "Microsoft is committed to protecting your privacy."(fn25) However, much of the criticism that Microsoft and Google received from an academic privacy research center pertains to the security of medical records on the internet.(fn26)

While Microsoft claimed they were committed to protecting a HealthVault user's privacy, one of the programs who partnered with Microsoft, Kaiser Permanente, had a history of privacy breaches.(fn27)Microsoft stated that its privacy commitments in regards to HealthVault were industry leading and that Microsoft established stringent privacy principles for programs like Kaiser Permanente that connected with HealthVault.(fn28) However, Kaiser Permanente allowed the breach of private medical records and information on numerous occasions.(fn29) In 2002, Kaiser Permanente accidently sent hundreds of e-mails, some containing sensitive medical information, to seventeen individuals who were not the intended recipients of the private medical information.(fn30) The e-mails that Kaiser Permanente sent to the seventeen unintended recipients contained patient addresses, telephone numbers, and answers to sensitive medical questions.(fn31) In 2005, Kaiser Permanente was fined for posting 150 patients' medical lab results, names, phone numbers, and addresses on a publicly accessible website.(fn32) The 150 patients' medical information was posted for four years without the patients' consent.(fn33) Further, in 2006, a laptop computer containing medical information, names, birthdays, and other private information of 38,000 Kaiser Permanente members was stolen out of a Kaiser Permanente's employee's car.(fn34) Also in 2006, 160,000 Kaiser Permanente members' private medical information was stolen from a computer in one of Kaiser Permanente's secure of-fices.(fn35) The 160,000 Kaiser Permanente members' stolen medical information included appointment information, names, phone numbers, and Kaiser Permanente member numbers.(fn36)

As Kaiser Permanente's record indicates, there is no guarantee that medical information will remain secure on the internet.(fn37) This Note argues that whenever personal information is on the internet, users run the risk of exposing that information to data breaches, regardless of the provider's reputation.(fn38) A general lack of understanding of privacy law, and confusing privacy statements, gives users a false sense of security relating to the safety of the users' medical records on the internet.(fn39) HealthVault and Google Health both have confusing privacy statements, which generally reserve HealthVault's and Google Health's right to access their users' private health infor-mation.(fn40) HealthVault and Google Health claim that they will only access users' uploaded information under limited circumstances, but a careful reading of the privacy statements indicates that the circumstances where HealthVault and Google Health can access user's uploaded information are quite broad.(fn41) The language of HealthVault's and Google Health's privacy statements is such that HealthVault and Google Health can very easily justify accessing their users' private, uploaded information.(fn42) This Note argues that because putting medical records on the internet is not completely secure, Microsoft and Google should be required to obtain informed consent from their users prior to users agreeing to their services.(fn43) In this way, users will have a better understanding of the possible consequences of putting their personal medical records on the internet.(fn44)

This Note proceeds in three sections.(fn45) First, this Note's Background examines Microsoft's and Google's electronic health record programs, HealthVault and Google Health respectively, including their privacy statements.(fn46) Next, this Note's Background reviews the history of privacy in the medical profession and the applicable federal laws that relate to medical information.(fn47) This Note's review of the federal law relating to medical information includes the Health Insurance Portability and Accountability Act ("HIPAA")(fn48) and the common law doctrine of informed consent as it pertains to medicine and special education.(fn49) Second, this Note's Argument Section explains four reasons why HealthVault and Google Health have a duty to obtain informed consent from their users before the users sign up for these sites.(fn50) First, this Note argues that HealthVault and Google Health should obtain informed consent from their users to warn their users of the potential risks of uploading their medical information to the internet because HealthVault and Google Health have a duty to disclose the consequences associated with signing up for their programs.(fn51)Second, this Note argues that HealthVault and Google Health should obtain informed consent from their users because HealthVault and Google Health do not meet HIPAA's definition of covered entities, rendering HIPAA's privacy protection inapplicable to HealthVault and Google Health.(fn52) Third, this Note argues that HealthVault and Google Health should obtain informed consent from their users to reflect HIPAA's purpose of protecting medical records.(fn53) Fourth, this Note argues that HealthVault and Google Health should create an informed consent doctrine that models the special education requirement of parental consent.(fn54) Finally, this Note concludes that because HealthVault and Google Health has a duty to disclose to their users the consequences of the users' submitting health records to an electronic health record program...