January 12, 2010

Information Technology meets Medical: Why We Should All Be a Little Worried

Today I had what I would say was an anecdotal experience regarding data privacy.. calling my OBGYN to make my annual appointment. I ended up using their new website and giving various personal data, only to figure out that they have no privacy policy for data, that the data was going to a third party, and that in trying to make an online appointment, all I really got after sharing data was an email form to request an appointment.

So, here's the scoop.

In calling into the doctor's office, I got their voice system which has always required lots of number punching to finally get through to someone to make an appointment. It's better than 10 years ago where you could literally never talk to anyone in their offices and would just punch numbers endlessly until leaving them a message. That would be followed by a return call that you would invariably miss, having to start the process over, to get another call back.. all to just make an appointment.

Anyway, calling in today only requires two selections, before being told my call was in line to be picked up after approximately 6 minutes of estimated wait, OR I could use their online system. Whooppee! I could make an appointment using what I imagined was a calendar with available timeslots to book appointments? So here is Golden Gate Obstetrics (GGObgyn) big chance to show how they are using information technology to help people organize this process of getting an appointment better and faster!

Super cool!

Er... NOT. So. Fast.

Following the voice system at GGObgyn, I go to http://goldengateobgyn.medem.com/ which redirects me to http://www.ggobgyn.mymedfusion.com/:

The branding all over the site is "Golden Gate Obstetrics" so I'm thinking: okay, this is their site, even though it's got some other root domain name (mymedfusion.com).. in other words, Golden Gate Obstetrics is responsible for my health info, and I just need to get in to see their calendar and choose a time or something. So I go to "create an account" (Note below I've made screen shots of the *second* account I made, called 'testacct' to see what was going on a second time.. since the first time when I made an account for myself, it went by quickly and I wasn't suspicious until the end of the very end of the process):

I put in my name, SS # and DOB and email. After submitting, I was brought to this form (screenshots are in two parts as it was a longer page):

As you can see, there's enough data request there for someone to do some damage if they wanted to. At this point I was getting a little concerned about where this data was going, but keeping in mind GGObgyn's history where getting staff on the phone to make appointments is so difficult, I went ahead and submitted my data.

The screen instantly took me to a logged in state, saying "we are now your Health Record provider" which I found totally freaky. I don't want them to be my Health Record provider. I just want to schedule an appointment. All this, without requesting any sort of email verification or other checking... just gave me an account. At that point, I could go make an appointment:

To say the least, I was shocked. So I just put in all this personal information, dinked around with forms etc, to be given a glorified email form to request an appointment? With structured data about which day of the week I want the appointment? How about a calendar with available time slots? So I could just pick based upon my availability? No... it appears they are going to email me back or call me with times so we could go back and forth over schedules again, in email? Really? This is the promise of information technology for scheduling? I mean aside from the privacy issues, I really felt like I'd been had in terms of my time sink for their silly email form.

I notice there is no help or privacy statement on any of the pages in their system (and I clicked on all of them), and the "ask a question" page is all about medical stuff, not using the website. But I figure GGObgyn is responsible for this site. So I call them, and after a lengthy wait, get the appointment receptionist. And I ask, where did my data go? And she says she doesn't know, but they own the site, so therefore my data is safe.

This seemed reasonable given the interface on the GGObgyn website was so incomplete with so many important things missing (like a privacy statement as I entered in my SS # and DOB and address, etc. or even a privacy policy in the footer somewhere, or a help page, or real contact info), it had to have been done by people who don't normally develop websites.

I asked if the receptionist could give me the privacy policy, or tell me where my data had gone, and she said she would pass me to the "online manager" named Olivia. Olivia started off my telling me she sits on the system "all day long... as account requests from users to join their online system appear on my screen.. I look the patient up and put through the approval if the new user is in fact a patient."

ME: "Really? because my account approval seemed instantaneously to happen on my screen."
Olivia: "Oh yes.. I did that."
ME: "Wow.. you're fast."

Then Olivia reiterated to me that she's there literally every minute at work approving patient account requests.. because she manually approves all new accounts and also is there to pass along requests of appointments.. etc. And she was sure there was a privacy policy somewhere on the system. Her description of the account approval process sort of contradicts the fact that I could make an account called "testacct" and get right into their system without any approval but I didn't bother mentioning that. I just wanted to know where my data had gone from my first real account made with them.

After that, she could only talk about how to use the system from her perspective, not mine. In other words, Olivia had no idea what regular users face (ie, There is no privacy information, as I typed in my personal data, and no real idea other than from reading the URL in the address bar that maybe a third party was collecting my data, etc. Reading address bar URLs is something most users don't do.)

I told Olivia she literally wasn't getting the problem, because she just kept repeating to me how she uses the system (as an administrator over user accounts and for appointments where, I'm guessing, she has to be seeing an administrator version of the Medfusion system or some kind of much more powerful interface than the one regular users see when they log into the system). So she said she wanted to pass me to their office manager, Laura, who said, as she picked up the call:

"Mary, i've been listening to your call with Olivia" ... er.. okay.. no one disclosed to me that my call with Olivia was going to be monitored by others listening in. Unsettling. And possibly illegal. But whatever, that's really the least of my concerns here.

I told Laura there was no disclosure to me in advance of having a third party get my personal data.. and after Medfusion had it, I had no way of finding out what they are going to do with it.

I asked Laura about GGObgyn's ownership of Medfusion, but she replied that Golden Gate Obstetrics *did not* own Medfusion as the receptionist had told me. Instead, GGObgyn used them because they could not email "using Gmail or AOL" about appointments because that "wasn't safe." I was thinking really? Because having a website where my data just goes to third parties with no written privacy policy seems pretty unsafe.

So she explained that every page on their site (see all the screenshots and look hard for it!) have some sort of key symbol in yellow (it's not on any of the screen shots I took of the site, and I took shots of every page on their site), which if i click on the key, "will take me to their privacy policy." Okay.. so ignoring the obvious question of why they have a yellow key to signal a privacy policy (totally not intuitive from a user perspective), I look all over all the webpages that I can get to from the left side navigation, read them to Laura, and confirm that I cannot find the key.

Laura replied, "Well I can't help you anymore, because this is a waste of our time.. if you didn't want to put your information into MedFusion then you shouldn't have."

ME: "But your voice system told me to. And your name is on the website, and you aren't really disclosing that you are giving my data to a third party, MedFusion or telling me what they or you are going to do with it."

Laura: "Well, I can print the privacy policy and fax it to you."

ME: "But I don't have a fax machine. Can't you email it?"

Laura: "No.. maybe i could scan it and send it in email, but I'm not sure... and there isn't anything else I can do anyway." (It was clear she was trying to end the call.)

ME: "Er... Okay." (And then I hung up.)

A few hours later while writing this post, looking at the GGObgyn site, I noted that they added a privacy policy to the left side navigation, though that policy doesn't govern anything about what I entered into the GGObgyn site because it wasn't there when I gave my data. Medfusion and GGObgyn are under no obligation to keep my data safe or private, based on that policy.

No help or contact pages appeared afterward.

The privacy policy, which I read through, has a few issues. First, it starts off just saying "we" .. and my question is, We Who? I mean.. is it Medfusion? or GGObgyn? Me and GGObgyn together? Or someone else?

At the end of the privacy policy, it says under a section called OUR NOTICE OF PRIVACY PRACTICES:

By law, we must abide by the terms of this Notice of Privacy Practices. We reserve the right to change this notice at any time as allowed by law. If we change this Notice, the new privacy practices will apply to your health information that we already have as well as to such information that we may generate in the future. If we change our Notice of Privacy Practices, we will post the new notice in our Center, have copies available in our office and post it on our website.

So basically, they have to follow the policy, but can change their privacy policy at any time and it's retroactively applied to my old data and old terms? Well, I can see why GGObgyn wouldn't even bother having a privacy policy before because essentially, I have no rights over my data anyway.. because they can just change my rights whenever they want to suit themselves? I feel really good about my personal and medical information held by Golden Gate Obstetrics now.

And then, under COMPLAINTS:

If you think that we have not properly respected the privacy of your health information, you are free to complain to us or to the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you if you make a complaint. If you want to complain to us, send a written complaint to the contact person at the address shown at the beginning of this Notice. If you prefer, you can discuss your complaint in person or by phone.

So.. GGObgyn seriously expects me to complain to the USDoHHS? Why do we have to escalate this to a federal agency? Why can't they discuss it directly with their patients? I would rather just start by telling GGObgyn (which as you can see from the above dialog was incredibly successful, but they really ought to be open to hearing from their users about issues). In looking at the complaints section of the GGObgyn privacy policy, I note that I can contact the person listed "at the top of the privacy policy." Except, surprise! There is no one listed at the top of it. In fact, I don't even really know who "we" is in the policy language. So.. I guess I won't be contacting the "we" in this policy.

If I did want to complain about a privacy policy and questionable data usage problem, frankly I would use the Federal Trade Commission form because the FTC governs these things (see their most recent list of cases here where they go after companies that fail to protect user data and medical information, including the recent CVS case where they violated financial and medical data privacy rules). I have zero confidence that the Office of Civil Rights at the USDoHHS would even have a clue about privacy and my data on a website.

One thing.. after the GGObgyn privacy policy appeared, no one from GGObgn emailed me, or called me, to say that it was now up on their website. Of course, they have all this contact info and my name in their patient files and in their online system that Olivia who runs their website presumably could pull up very quickly and easily send me an email telling me to look at the policy.

I would also recommend that businesses like Golden Gate Obstetrics use the FTC page on Protecting their user's data and privacy (additionally, here is a link to the FTC's newer site how individual's can protect their own data) which is very helpful when trying to figure out how to present privacy info on a website.

Frankly, I have no way to alert anyone at GGObgyn to this blog post, or to my thoughts on the subject, other than to call back, sit on hold, and talk with the three people I already discussed this with, who were ranged from unhelpful to hostile. Since GGObgyn doesn't seem open to discussing their websites problems and the fact that the cat is kind of out of the bag now with my data going God knows where into various company's hands, I'm posting this example of how companies, particularly *medical* entities, with no experience or understanding of information technology systems and websites need to use extreme care, and not assume that office staff trained to run a medical office has any idea what users need or will face with a website collecting personal or medical data.

I hope people at medical or other data collection companies will realize the importance of protecting user data and being straight with us about what's happening to personal and medical information. My experience is just one, but if this becomes representative of people's experience with their medical providers, we ought to be very worried.

Note: I took a look, when writing this post, at ratings for Dr. Wiggins, whom I really like and have enjoyed having as my doctor. You can see from the ratings at Health Grades that Dr. Wiggins is well liked by patients but the appointment system and her office staff.. not so much. I hope GGObrgn does an overhaul on all their office administration and website that interacts with patients before they venture further with information technology as tool for communications.

Posted by Mary Hodder at January 12, 2010 08:21 PM | TrackBack
Comments

Mary,

They seem to break every privacy rule I can think of, and probably some I don't know. I don't know if HIPAA applies to smaller practices, but at the very least, they seem unusually inefficient. Maybe you should suggest they use the records systems from Google or Microsoft? I can't personally recommend them as a user, because I haven't used them. But I have talked to CIOs at hospital companies that have approved them for use with patients.

Michael

Posted by: Michael Fitzgerald at January 15, 2010 07:41 AM

Mary, I feel your pain. Sometimes I fell like I'm talking into the wind on things like this. It's maddening that people write you off because "no one else" has complained. Makes you feel sort of "bad," "angry" or in need of a true medical professional.

What's hard about this situation is the mix of getting good medical care (hard to find these days) with a the notion of 21st century privacy. Good doctor? Good privacy? Which one should I choose? Of course, we deserve both.

BTW, I *never* give out my SSN to anyone. I don't care if they ask for it or require me to use it. To them my SSN# is N/A.

Posted by: Jeff at January 15, 2010 07:56 AM

Michael,
Agreed.. GGObgyn is governed by HIPAA rules but I think smaller medical offices are sort of off the radar of government agencies who might patrol this issue.. in fact the CVS example on the FTC site was a huge example.. that's what makes the FTCs radar.

Unfortunately, it's us who need to be vigilante and let providers know they aren't doing a good job.. and here I am doing that and frankly, the Dr.s office staff just finds this "a waste of time" according to the office manager.. who presumably oversees their HIPAA compliance.

Jeff,
It is incredibly frustrating. My Dr. (Donna Wiggins) is fantastic, and the medical group's office staff is incompetent because they can't understand patient needs (like privacy of their medical and personal data) or their own website or information technology generally.

mary

Posted by: mary hodder at January 15, 2010 08:29 AM

I should think (naively, I'm sure) that one strongly-worded complaint using "HIPPA" in every sentence would strike the fear of -- well, of the govt -- into Medfusion, since they are in the health records *business.* If not into GGObgyn.

Posted by: NVH at January 16, 2010 09:11 AM

You could write them a letter, and mail it.

Posted by: Kerri at January 21, 2010 10:18 AM

Hi Kerri,
Yes.. you are right. I could write Golden Gate OBGYN a letter and mail it to them about their website & privacy policy which is missing their own contact information, but which they reference in that privacy policy as being there. Along with the other site issues.

I can say that that's never going to happen. But I *could* do it.

Instead, I printed all the pages out from GGObgyn, and marked them up, and I'll bring those to my appointment in a few weeks. I think the doctor, who is otherwise fantastic, should know that her staff and her website aren't doing so well representing her.

Mary

Posted by: Mary Hodder at January 21, 2010 10:26 AM

Sounds like you are exaggerating quite a bit. This is your side of a very frustrating circumstance. I am sure you put quite a spin on it to make yourself seem wronged. I am certain you will not post this on your site. You seem a little full of yourself..

Posted by: at January 28, 2010 08:31 AM

Hi Anonymous,
Thanks for your comment.

I don't think a medical site, which requests very personal information, but doesn't post a privacy policy, needs any "spin" from me to make it clear to readers that it's a worrisome circumstance. Nor the statements made by GGOBGYN.

There was no exaggeration about what they provide or said to me on the phone. I actually took notes during the interaction.. because after a few minutes, it became clear that my health and personal data (like SS # coupled with address, phone, and other information perfect for identity theft, and other painful misuses) were not protected by GGOBGYN or Medfusion.

So my retelling above is literally what occurred in order based upon my notes of exact quotes from the conversations.

I was however dismayed by the fact (from a usability perspective) that GGOBGYN would have users do all this personal data entry in order to get a "glorified" email form. Yes.. my reaction was stated with some exaggerated emotion, because from a user perspective, GGOBGYN is WASTING MY TIME AND EVERYONE ELSE'S with a circa 1997 email form.

Can you tell me what else you think I'm exaggerating (based upon what information in the post)?

The main point, which the title notes, is that my medical data was not covered by a privacy policy at the time I interacted with the system, there was no contact information, and when I called GGOBGYN they said they "didn't have time" to deal with the privacy problems of their website.

Also.. would you care to share your name? By leaving yourself Anonymous, I'm thinking you may be associated with GGOBGYN and taking offense at my relating the story.

Mary

Posted by: Mary Hodder at January 28, 2010 09:07 AM
Post a comment









Remember personal info?