Before I talk about the reasons why I think it's safer to assume platforms like Manage My Health are DataFarmers, let's zoom out a bit. A few years ago I was talking to a friend who works in public health, about how health information store-and-sync services might work in my utopian Aotearoa.

Essentially we're talking about a health internet, linking the internal networks of all health providers that patients choose to use. The fundamental principles are privacy and consent.

(2/?)

The fundamental access model is that patients must have access to all data held about them. They must be able to correct and update information supplied by them, and to challenge the accuracy of data supplied by practices (in case of data entry or other errors), and get it reviewed.

So this is a patient-centric system. That's the first design consideration.

(3/?)

As I mentioned, I see it as a health internet. Obviously connections between health providers networks would be made through the net. But what I mean is, we're not talking about a centralised database, held by Te Whatu Ora or anyone else. This would be a juicy target for both network attacks ("hacking") by agents of data brokers, and political attacks (like corporatisating the service and selling it off)

So the second design principle; it's a decentralised system.

(4/?)

So obviously health practices use this hypothetical HealthNet (TM, patent pending) to supply patients with their health data. But what if the patient wants their current GP to have access to their whole medical record? Or they want their osteopath to see their back x-rays before a consultation? There would need to be a system for disclosure of specified data, with patient consent, with a timeframe (for A hours/ days/ etc, or ongoing).

So the third design principle; selective disclosure.

(5/?)

What intrigues me is that I'm pretty sure I'd never heard of the Solid protocol at the time. But...

"With Solid's Authentication and Authorization systems, one can determine which people and applications can access their data. Entities can grant or revoke access to any slice of their data as needed. Consequently, entities can do more with their data, because the applications they decide to use can be granted access to a wider and more diverse set of information."

https://solidproject.org/about

(6/?)

Sounds about right. I could go into a lot more detail about how a resilient and reliably-private health record system might work, and what tech could be used, but I really ought to ask Te Whatu Ora for $100 an hour as a "consultant" if I'm going to do that ; )

But I think that's enough of a sketch to give us something to compare Manage My Health against.

(7/?)

So how does Manage My Health stack up?

Well, they talk a good game about privacy and consent, and a brief glance over their privacy policy gives an impression of being patient-centric (or wanting to appear that way).

But some of the language in the privacy policy reads a bit like; once you've enter optional data into our system, you've given us consent to use it "for our lawful purpose connected to our functions", no further consultation needed;

https://managemyhealth.co.nz/privacy-policy/

(8/?)

To be fair, it's hard to run a centralised service without getting all the permissions the MMH privacy policy asks patients to opt-in to. You can add more detail on the limits of data use, but that creates as many problems as it solves. It leads to a longer, more complicated policy, with more room for subtle loopholes, that fewer people will read top to bottom.

This is why the decentralisation principle matters. Practices already hold patient records, why not let patients control them?

(9/?)

So what about selective disclosure? Again, the service seems to be set up with that goal. They talk a lot about supplying data being optional, and encrypted connections between participating data providers and recipients.

But according to NoScript (add-on running in my browser), they try to get your web browser to run scripts from domains controlled by known DataFarmers (Goggle), a newsletter provider (MailterLite), WordPress.com (wp.com) *and* WPEngine. This is not encouraging. At all.

(10/?)

Then there's this bit of the privacy policy, under the subtitle; "Use of personal information";

"MMH collects and uses your personal information to operate, improve and deliver ManageMyHealth™ or carry out the transactions you have requested. These uses may include:

d. performing research and analysis aimed at improving our products, services and technologies;

e. displaying content and health promotions that are customised to your interests and preferences;"

(cont'd in next post)

(11/?)

"Use of personal information" cont'd;

"f. using aggregated information (which has identifying information removed) to improve the quality of the services offered on ManageMyHealth™, for marketing of ManageMyHealth™ and for general analysis or population health statistics;

g. gathering and analysing health statistics (in a form in which you cannot be identified) to allow planning of effective healthcare services within your region.

https://managemyhealth.co.nz/privacy-policy/

(12/?)