It's been a while since I've written but ran across this article titled 'MyFamilyHealth is a great Web 2.0 health site', while researching another topic and had to type something. First, I'm not a web2.0 expert like my esteemed collegue, LoriMac, - but I do cover security for our team. Anyway, the blog starts with:

The folks at MyFamilyHealth.com have combined online genealogy, social networking, and basic personal health record management for a single and eminently useful purpose: learning more about your family’s medical history to help improve your own health by better understanding your genetic risks. It will be fascinating to see how people use it over the next few years.

Now I'm sure Shahid's intentions were good but I have to wonder about a few things:

First HIPAA and if Social Networking sites in which I choose to supply with sensitive health information, are covered? HIPAA describes a 'covered entity' as

  • a health care provider that conducts certain transactions in electronic form
    (called here a "covered health care provider").
  • a health care clearinghouse.
  • a health plan

But at the same time the regulations clarify that facilitation should be of a ‘transaction’, which means, just accepting data and historical information is not a covered transaction under HIPAA and thus not necessarily regulated. However, personally identifiable health information which, if shared, could constitute facilitation of a transaction under HIPAA and thus require the business (site) to comply.

So a couple questions need to be asked:

Q1: “Does the business or agency process, or facilitate the processing of, health information from nonstandard format or content into standard format or content or from standard format or content into nonstandard format or content?” Yes.

Q2:” Does the business or agency perform this function for another legal entity?” Technically, yes as the individual is a legal entity.

If the site provides the means by which you can designate who can/cannot see the data, that should be enough for HIPAA compliance regardless, as HIPAA defaults to a deny all/whitelist policy for sharing of information. I would think that if these type of sites start integrating (as in Web 2.0) with actual health care providors, then I would think they MUST comply.


But I'm the one who choose to put it out there in the first place.


One of the problems I have with Shahid's blog is he talks about all the great benefits of putting your health info for the family to see but nothing about the Security of that data or any cautions about the type of data you supply. So I went to check it out.

Which brings me to issue number two:

so to logon, it's http: http://www.myfamilyhealth.com/account/login_form "email/pw"

https://www.myfamilyhealth.com/account/login_form

gives you:


 

123genes.com takes you the same myfamilyhealth.com
look, except http://www.123genes.com/home is the path.

https://www.123genes.com/account/login_form takes me to the same logon, without cert prompt in SSL. Shahid should've, especially now, talked a little about the security of the site. Not only holding sensitive info (or at least caution about putting actual prescription numbers in a site like this, along with pharmacy, docs names, etc) Potentially, even the above issue. This re-enforces the bad behavior of users just clicking thru these warnings (see Lori's blog about FF3 warnings here). Add to that, in IE, you get the; There is a problem with this website's security certificate error/message & then what? You'll either be reinforcing bad behavior or driving people AWAY from the site since IE is telling them, 'do not continue.'

They say, '
MyFamilyHealth takes extensive and proactive measures to ensure privacy and security,' but doesn't even have a https logon. They say that only members of your family tree can see your tree but it's only http. I'm sure this site is good for consolidating important health info and allowing others to see it but with recent malicious attempts (both successful and not) against Facebook, Myspace and other social sites - do you really want your sensitive health info just 'out there' especially when their privacy policy states:

BY SUBMITTING YOUR SENSITIVE PERSONAL DATA TO US AND/OR CLICKING TO ACCEPT THE TERMS OF THIS PRIVACY POLICY AND THE DATA PROTECTION NOTICE, YOU CONSENT TO ALLOWING US TO PROCESS THIS SENSITIVE PERSONAL DATA IN ACCORDANCE WITH THIS PRIVACY POLICY.

One final concern are the health care/insurance companies themselves 'reviewing' these sites to determine of someone is too much of a risk.  'Oh Sally here says that her family has a history of cancer - she's too much of a risk, let's drop her.'

No thanks.