Part II: Follow Up to PHR Access Post and GTUG Campout "Breach"- Google Health, Ringful, and the Asthma Journal App Experience

Why did this happen? Egotistically, I wondered how in the h*&^ something like this could happen to me. How could I be so confused by an eHealth and mHealth application and data exchange permission language?

Working in the field of Health 2.0 for over 2 years and and reveiwing TOS's (Terms of Service) at a granular level is an integral part of my work as an analyst, consultant, and blogger. I am *very* careful to read TOS's thoroughly and exhaustively, and often comment on what I like/don't like about them. This is the reason I never blogged for Wellsphere (a story for another time), and why I tweet and talk frequently about Patient's Like Me's terms of service. 

The irony here is that there are very simple, rational, non-malicious reasons for what happened, and why I was so confused. I believe now that these are related to the following factors:

1. The field of mHealth's baby-faced newness...standard workflows for mobile health applications accessing web-based PHRs like Google Health have yet to be established.

2. A lack of attention to the UX (user experience) in PHRs design in general (not many people use PHRs and those who do tend to be experienced in the field of healthcare).

3. The inherent bias (by just about everyone - PHR vendors, mHealth application designers working to build on top of PHR APIs, doctors, patients themselves) that users of mobile health and eHealth sites and services will not be able to use nor understand granular permission-based sharing of health and medical data. As such, Google Health and Ringful have adopted an 'all or nothing' sharing policy that provides either 'complete' access to ALL of my PHR for ALL time to Ringful or provides 'no' access to ALL of my PHR for ALL time. 

4. A lack of commitment to 'plain language' terms of service and sharing/data exchange details and explanations in eHealth TOS. 

5. My inability to think very critically that day, which is unusual; The GTUG Campout was my second hackathon in a 10 day period, and I got less than 3 hours of sleep for the duration of the 2.5 day event. Looking back it's amazing I was able to read logs and remember Michael Yuan at all. 

Let's look particularly at the number 2 reason why this happened...

One of the central reasons I was so confused is related to where linked profile information (ie where my Google Health profile was telling me Axial was sharing my profile) is stored in Google Health's interface. It is NOT stored in the "Share this Profile" link on the lower left nav tab, which is where most users (myself included) would look when notification of information exchange occurs.

Now let's look at number 3...

It's important to note that I hadn't SENT or transmitted any user-entered data from Ringful's Asthma Journal app to my Google PHR (I hadn't entered any data because I don't have asthma).

Just opening the Asthma Journal application on my iPhone and opting to share my Google Health PHR profile with Ringful caused the link to occur. 

Why is a detailed understanding of the user experience (UX) and granular permission sharing for PHR data so vital moving forward? 

This is a vital important micro-issue moving forward with mHealth app design when you take into account several factors:

1. The attrition rate for app users - if I don't EVER USE the health app to transmit data (or never update my health app records, or uninstall the app) should an app maker still have access to my personal health records? As a result, I was shocked to see Axial access that did NOT appear under my shared permissions in Google Health (read on: it WAS there, but not where I expected to find it). 

2. Given DHHS's new cooperation with the FTC to compose an 88 page breach notification rule for PHR vendors and associates to communicate details about any breach or unauthorized access with users, the issue of 'how much information' is shared with PHR associates and when this permission expires (currently, it doesn't) takes on new meaning.

NOTE: I'll be blogging for the rest of the week about the FTC breach notification rule in detail. Posts will include business practice recommendations for PHR vendors and associates, including mHealth developers working to exchange data with web-based PHRs.   

Taking off my Health 2.0 analyst and Contagion Health startup founder hats for a moment, my essential concerns are related to these 'normal user' issues, which I'll describe very generally here: 

Posted via email from Jen's Posterous

No comments: