Wednesday, May 09, 2012 8:01 PM
I know that HV will inactivate an HV account after a certain period of time of that the account has not been accessed. I cannot find any detailed information about this process. I have the following questions about the process:
1) after what time period of inactivity does a HV account get deactivated?
2) what is the nature of the deactivation? Is the account disabled? suspended? deleted?
3) what happens to all the medical records stored within a HV account when the account is deactivated? are they lost? deleted?
4) is the user informed of the deactivation?
5) what is the procedure a user must go through to reactivate the HV account? Does the user have to start from scratch? Are previously stored medical records restored?
Thursday, May 10, 2012 3:33 AM
HealthVault does not deactivate accounts after a certain period of time. We do not delete your health information and you will not lose your records or medical information.
The issue is that if you use Live ID as your authentication provider, Live ID deactivates accounts after a period of time. That is based on the Live ID policy and I don't know off the top of my head how long that is. If that happens where your Live ID has been disabled and you can no longer use it to log in to HealthVault there is a process where we have to confirm you are who you say you are and try to re-bind an auth provider to your account for you to log in.
Saturday, May 12, 2012 4:20 PM
this is a fine semantic line you are drawing here. Since live id is the gateway into HV, it doesn't matter to my users whether LiveID or HV is disabling the account. The user interface should be seamless. To one of my users, whether they are trying to directly login into HV to manage their medical records or are using my website as a portal into HV, the effect is the same: they cannot access their medical records.
Since our HV web portal is approx 3-4 years old, we are starting to have many users who are experiencing this issue. They registered with us/opened a HV account one,two or three years ago and don't come back to our web site/HV until their next medical event occurs, which may be a year or two after the first medical event that prompted them to create their HV account. Now they come back after a year or two and they are unable to log into HV and thus unable to view their medical records.
I would like to find some doc about Live ID deactivation process but have not been able to. Can you help point me in the right direction? Some questions that naturally arise: when does deactivation occur? Is the user notified of a pending deactivation? What is the reactivation process? is some somewhat akin to the "i forgot my password" process that many sites have? once the account has been reactivated and access to HV is reenabled, is the patient still identified by the same personid/recordid? Or does HV assign new identifiers?
Monday, May 14, 2012 3:43 PM
Live ID's policy is to expired unused accounts in one year. I don't know the policies of our other auth providers (Facebook, Open ID providers, Phone Factor auth).
We do have a process in place to assist users and will further improve the process in our next release so that our support agents can efficiently authenticate the user and grant them access to their data. The process involves sharing their existing records with their new cred's account.
As for notifications we have started sending periodic notices to users about their HealthVault account (we call them "Health Statements"). I will follow up with others in the team and investigate that as an option for including expiration alerts.
Monday, May 14, 2012 10:48 PMmatthew:
can you explain in more detail "we have process in place to assist users" and "sharing their existing records with their new cred's account"? Does this imply that they have to create a new HV account? do they get to reuse their existing email address? If the reuse an existing email address, does HV assign them a new personid/recordid? Are all the med records they previously stored in HV carried over to this "new" account?
We are having more and more uses who are experiencing this problem.
Wednesday, May 16, 2012 10:29 PM
Users with expired Live Id accounts can have their records shared to their new account, which can still use their existing email address. They can then control the sharing to other applications from the new account. They can still login with Facebook or OpenID if they use those with HealthVault.
Please ask users in this situation to contact support and we will help them.
Thursday, May 17, 2012 8:13 PM
lately we have been getting alot of the following type of errors:
Microsoft.Health.HealthServiceAccessDeniedException: Access is denied.
and I suspect that it has something to do with this issue of expiring accounts. As you said, users get to reuse their existing email addresses, and 'have their records shared to their new account" and "control the sharing to other applications". Our web app originally had access the our users' records. When the 'records are shared to their new account', does authorization and access control carry over? If not, does this explain the "access is denied" exceptions?