Eric Irvin, Senior Consultant at IrvTech, suggested I blog about Google’s recent announcement of Google Health and I countered by challenging him to write up a post of his own, and here it is. Eric doesn’t have a blog, so if you want to get in touch with him, leave a comment or contact me and I’ll forward it on to him. Without further ado:
Google Health by Eric Irvin:
Google has recently offered a service to track and monitor your own personal health records. Google Health
provides a centralized manner of health information management, utilizing Google’s signature API. Google has assured
users that they will protect and secure the data. The problem is the Health Care Industry already has a standard of privacy and protection with HIPAA
Health portability and privacy has always been a problem in the Health Care Industry. This has been largely due to the industry facing lawsuits due to a lack of privacy regulations, and/or questions relating to how data should be shared between insurance companies, hospitals, and other medical care providers. Out of these legal questions, and lack of clarity, the Health Insurance Portability and Accountability Act was passed in 1996.
Google believes that it should not be regulated by HIPAA because they are not a health care provider. Google addresses this in a post from a development blog.
“Some have asked how Google Health relates and compares to the privacy protections for patients under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes privacy standards for patient health information. Unlike a doctor or health plan, Google Health is not regulated by HIPAA because Google does not provide health care services.”
I disagree with Google’s not wishing to comply with HIPAA regulations, which would apply a baseline of security checks and safeguards to protect customer information. With other industry requirements (such as PCI, SOX), privacy and protections extends itself towards anyone exchanging customer information. While the law, in itself, does not require Google to do so, I think it sets a standard of expectation for people who choose to use the service. Because Google is not subjecting itself to HIPAA, there is no legal requirement for them to keep your information private, other than the terms of service.
Google could begin providing information to pharmaceutical companies as to who has which medical problems, and allow them to target advertisements to them. This would be a horrible invasion of privacy, and breach of a basic trust. While Google has not announced any plans to do so, their own terms of service allow them to change their own policies at any time without notice. At least HIPAA requires a vote from Congress to extend, withdraw, or modify any protections or use of said information.
While HIPAA was established for the sake of protecting patients rights from Health Providers, Insurance Companies, et al., the question remains, should a third-party company who has access to Health Information be governed by those same rules?