In an article in the New England Journal of Medicine, two researchers express concerns about the privacy of health information after the entrance of Microsoft and Google into the Personal Health Record space.

The authors apparently hope to begin a dialogue on the implications of private organizations like Microsoft and Google as stewards of such large volumes of patient data.  Fueling these concerns is the lower burdens that they perceive such organizations would carry to protect this information. And, they suggest these organizations would not be required to follow privacy regulations, such as HIPAA.

I’m inclined to disagree with some of the premises on which they base their concerns.  While I’m not a lawyer, these aggregators of data seem to fit HIPAA’s definition of a clearinghouse.  Regardless, in order for provider organizations to pass data to such a repository, these organizations would need to execute Business Associates Agreements with those providers which would bind them to follow the basic principles of the law.

So far, the initiatives from both Google and Microsoft are putting the onus of control on the consumer, where it belongs.  The biggest challenge to success under such a model is providing health consumers with the information to understand the implications of the information-sharing decisions they make.