Showing posts with label general mills. Show all posts
Showing posts with label general mills. Show all posts

Thursday, 1 May 2014

The obligation of mHealth vendors to protect patient information

Lately I've been thinking about consumer focused medical devices. I am a Fitbit user and only every access the information on my cell. I do not actively share the information in their communities but I assume that Fitbit uses my information, in aggregate, to make money. I get it, they are an for-profit company and I am receiving a ultra cheap service, Fitbit needs to make money on that service somehow.

Now that I've got the niceties out of the way the rest of this blog is angry and rant-y. In terms of full disclosure some of my anger comes from the recent kerfuffle over General Mills' plan to treat social media as a binding contract to protect itself from litigation. The other part comes from my interactions with a couple of consumer focused but information sharing applications. One company provides a cloud based service that allows doctors and medical students to share patient information, including pictures, with other doctors. It is a great premise BUT......what protection is their for patients? 

I contacted the company and basically their protections are focused on their bottom line, the have a "policy in place that meets all legal obligations in their local jurisdictions"......they also would not disclose and had no plans to be proactive about applying any technical protections to block the sharing of patient data.

Am I the only person that has a problem with this?!? 

As we move forward into the wearables and internet of things era, what are the obligations to these companies? 

We hold customer facing companies responsible for protecting customer information. Shouldn't a company that provides a service that enables the sharing of medical information as accountable? Should they be allowed to merely point to a piece of "paper" and say "not our problem?!?" 

If your policy says that the user must comply with hospital regulations on patient data sharing, you should provide the hospital a method to enforce policy. As a patient I need to know that the med student is not sharing pictures of my serious and potentially embarrassing problem just to have a laugh with their friends. It is the reason that Box is such a fast growing product! It gives end users what they need and it gives the business the protections it may need. 

In this age of prism and companies selling your data (see here for stats), wouldn't it be a marketing advantage to tell customers you go beyond the minimal?

Here is my POV on this: If you are enabling sharing of a person's medical information, you are obligated to protect that data from the stupidity or laziness of your users. 

How many busy residents are really going to take the time to ask their patients if they can share the x-ray? Especially if they can control capture and share from a personally owned device? Should I as a patient be forced to spell out the conditions under which I will allow students and doctors to share my information? 

There should be no such things as Facebook, Dropbox or Google drive for doctors! At a minimum you should provide hospitals the option of enabling controls based on their policy and not just weasel out of it by throwing your hands up and saying hey we did our job, they told us that it was alright.