Sharing data using HealthVault

There are always folks out there ready to beat up on Microsoft -- and sometimes it's well-deserved. But not always -- Fred Trotter in his most recent post makes some claims about HealthVault that are simply incorrect, so I wanted to spend a few minutes setting the record straight.

There are a number of points in Fred's entry; I'm not going to hit them all with this post. Suffice to say that I disagree with his assessment of our privacy policy and support for industry standards. For example, HealthVault natively includes CCR and CCD data. But that is a discussion for another day, because the the biggest mistake Fred makes is in his analysis of our security and authorization model -- and this one is critical for people to understand.

Our system allows for extremely granular and flexible authorization rules. The auth grant that Fred beats up on is called "custodianship" -- and he is correct that records can have multiple custodians. Custodians are "root" users in that they have rights to grant others access to the record, including transitive custodianship. This is a super-positive feature -- it means that both a mom and a dad can be custodians over their children's records, and that when those children turn 18 they can "hand over" custodianship in a seamless way, allowing the child to have a complete, birth-to-death record of their health and wellness.

However, this is just one type of access that can be granted to a record. Using the existing UI at, I can choose to grant users full read/write access to a record without custodianship, or further I can grant users read only access to a record if that is what I deem appropriate.

There is even more richness behind the HealthVault authorization model. In particular we support the ability to allow users to grant rights to individual types of data within the record -- for example, if I am acting as a caregiver for an aging parent with Alzheimer's disease, I could grant the parent rights to create new blood pressure and weight items in their record, but keep the rest of the record read-only to prevent accidental deletion of items.

The way we authorize applications on HealthVault also incorporates the richness above. So for example, my fitness applications may have access only to my aerobic exercise session items and not my medications. I believe that this is a hugely enabling feature, as it allows people to make trust decisions differently for an application that just helps them, say, lose weight vs. manage their depression medications.

Finally, we permit two separate types of authorization for applications. As a user, I can grant an application access to my data only when I am explicitly logged into that application, which is the mechanism applications generally use. In addition, I can choose to grant an application what we call "offline" access, which means the application can access my information at any time -- an example of this would be an application that checks my record periodically for new drug interaction issues so they can send alerts to my mobile phone when a problem is discovered.

The truth is, we've thought about this problem a great deal and are very confident that we offer our users far greater control over their information than other models. As we try to build out a new market, it's great to have people asking hard questions and calling us out if they believe we're doing the wrong thing. But it's disappointing to me when folks attack without doing their homework.

Anyways -- enough for now, I'm sure there will be plenty of these posts to be made over the coming years. For now, I'm headed downstairs to enjoy my time at ETech -- super excited to hear Hugh Rienhoff talk in a couple of hours.