May 22 2008

Google Health

Published by at 5:21 am under Privacy

Eric Irvin, Senior Consultant at IrvTech, suggested I blog about Google’s recent announcement of Google Health and I countered by challenging him to write up a post of his own, and here it is. Eric doesn’t have a blog, so if you want to get in touch with him, leave a comment or contact me and I’ll forward it on to him. Without further ado:

Google Health by Eric Irvin:

Google has recently offered a service to track and monitor your own personal health records. Google Health provides a centralized manner of health information management, utilizing Google’s signature API. Google has assured users that they will protect and secure the data. The problem is the Health Care Industry already has a standard of privacy and protection with HIPAA.
Health portability and privacy has always been a problem in the Health Care Industry. This has been largely due to the industry facing lawsuits due to a lack of privacy regulations, and/or questions relating to how data should be shared between insurance companies, hospitals, and other medical care providers. Out of these legal questions, and lack of clarity, the Health Insurance Portability and Accountability Act was passed in 1996.

Google believes that it should not be regulated by HIPAA because they are not a health care provider. Google addresses this in a post from a development blog.

“Some have asked how Google Health relates and compares to the privacy protections for patients under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes privacy standards for patient health information. Unlike a doctor or health plan, Google Health is not regulated by HIPAA because Google does not provide health care services.”

I disagree with Google’s not wishing to comply with HIPAA regulations, which would apply a baseline of security checks and safeguards to protect customer information. With other industry requirements (such as PCI, SOX), privacy and protections extends itself towards anyone exchanging customer information. While the law, in itself, does not require Google to do so, I think it sets a standard of expectation for people who choose to use the service. Because Google is not subjecting itself to HIPAA, there is no legal requirement for them to keep your information private, other than the terms of service.

Google could begin providing information to pharmaceutical companies as to who has which medical problems, and allow them to target advertisements to them. This would be a horrible invasion of privacy, and breach of a basic trust. While Google has not announced any plans to do so, their own terms of service allow them to change their own policies at any time without notice. At least HIPAA requires a vote from Congress to extend, withdraw, or modify any protections or use of said information.

While HIPAA was established for the sake of protecting patients rights from Health Providers, Insurance Companies, et al., the question remains, should a third-party company who has access to Health Information be governed by those same rules?

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “Google Health”

  1. Pierceon 25 May 2008 at 1:09 am

    Wow, I have never heard of Google Health! Thanks for this post, I will look deep into this.

  2. Jimon 27 May 2008 at 7:51 am

    There are a couple of vectors here that I want to approach…

    1) Anyone who feels that by putting their medical information in Google’s hand is doing the right thing to help their doctors and medical professionals needs to have some additional medical help.

    2) Google saying that they are outside of HIPAA and don’t have to be judged by those standards is wrong. The underlying guidance of HIPAA (and PCI for that matter) is the protection of data (medical and/or financial) and as such that data should be handled in accordance with whatever guidelines are in place to protect it… and while I am sure that Google has every intention to ensure that this data is not misappropriated… they are after all a commercial enterprise with the end goal of making money for their shareholders and financiers and will continue to do that as much as they can.

    Just a couple of inital thoughts…

  3. Dr Bonison 27 May 2008 at 2:18 pm

    Hi everyone,

    I am a family physician. As a doctor and biomedical informatics expert I am really concerned about the new privacy threats that Personal Health Records will put into the arena.

    There’s no doubt (from my point of view as a Emergency Room doctor) that having access to your main diseases, treatments and some well selected medical information (but not ALL your medical information) can be useful for your healthcare.

    But are the privacy risks higher than the potential benefits?

    I like the quote of Eric S. Raymond when he says: “Often, the most striking and innovative solutions come from realizing that your concept of the problem was wrong.”

    As a lover of hacking culture I try to apply this principle in my own area of knowledge (medicine and medical informatics).

    So I realized that the security of a system depends on two factors: the effort needed to breach the system and the potential value of the information inside the system.

    You can increase the “security” of your system by making harder to breach it or by decreasing the value of the information inside.

    So I decided to build the first TOTALLY ANONYMOUS Personal Health Record system. No email, no name, no identity needed to access to the service.

    Its name is keyose and can be found in:

    Please take a look on it. Any comments will be of great value.

    Dr Julio Bonis

%d bloggers like this: