Implications for HIPAA & Health Practitioners under the new Google Privacy Policy

Much worry, fear, and writing has already come out about Google’s new catch-all privacy policy. I for one am not surprised that they have finally created one privacy policy for their entire suite of services. Honestly, I had already assumed that Google was sharing information across its platforms about me. The one idea that really stood out to me in Google’s new privacy policy is that items in your Gmail and Google Voice would no longer be technically private. Working in a clinical research setting at a university-based School of Medicine with clients who are ensured confidentiality, I am worried. Isn’t Google violating HIPAA in some cases by sharing this information that we believe to be private?

Google and HIPAA

I am not the first to write about Google’s new privacy policy in relation to HIPAA (Health Insurance Portability and Accountability Act). The most important piece in understanding Google’s policy in regards to HIPAA is that Google says that it is not bound by HIPAA.

“Unlike a doctor or health plan, Google Health is not regulated by the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes data confidentiality standards for patient health information.” (via Google)

This is unfortunately true. If you visit the Health and Human Services (HHS) website those bound by HIPAA are health care providers, health plans, and health care clearing houses. Google is none of these entities, so therefore it gets by. There is no way that any court of law would hold Google accountable in a HIPAA related case. Google is a private company that offers free services to users. By using their services, you don’t necessarily have the rights to control what happens to the services.

“if you’re not paying for something, you’re not the customer; you’re the product being sold” (via

Implications for Individuals

Many, including Congress, have come out against Google’s new privacy policy and especially as it relates to HIPAA and health information. Representative Mary Bono Mack worries that Google could track sensitive health information.

“[…] say you do a Google search for cervical cancer and you forget to sign out. Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.”

Google’s response is that those individuals can use Google services, like Google Search, without having to log in to their account. However, if you are also a Gmail user and maybe you email with your doctor’s office then Google has that information more directly linked to your personal data. Does Google violate HIPAA in that case? No, because they say (to paraphrase), ‘you don’t want us to track you, then don’t login.’

For individuals, the solution is to diversify online services or stop using Google. If you don’t want your information tracked and collected by one entity start using a different email service, use Word instead of Google Docs, and if you don’t want information linked to your specific Google account, don’t login and search for everything you want to know about. That isn’t to say that other companies don’t also track and collect our data, but at least it won’t all be in one place. The hard part is that Google is good at what it does and for many, myself included, it will be hard to let go of the ease of Google services.

Implications for Health Practitioners

For Practitioners the story is more convoluted. I work for a clinical research grant where clients are ensured of the confidentiality of their information, however I am a Google user; a dedicated citizen of the Google Nation. I love their services and the ease of connecting the information that I want to use. As a result I use Gmail to communication on sensitive client matters with my Supervisors and I use Google Voice to talk and text with the clients. With the new Google privacy policy, all this information fair game for them to index and share across their platforms.

Based on the correspondence between Google and Congress as well as their stated policy that they aren’t bound by HIPAA, the responsibility falls on the shoulders of the health practitioners. In our clinical research program every client gets a number to ensure the confidentiality of their data. I use client numbers with everything that I do on Gmail and Google Voice, but sometimes background information about clients is sent to my Gmail that could reveal their identities.

Recently the School of Medicine where I am working hosted a workshop for researchers to benefit from Google tools, such as Google Docs. I emailed the individual in charge of the workshop to ask how Google’s new privacy policy might affect the way researchers use Google services. The individual seemed to be less concerned than I and said she understood it as a, “take it or leave it” policy. If you are a researcher dealing with private health information and bound by HIPAA, then there are serious implications for using Google tools for your research project. Google may state that it is dedicated to the privacy between sender and recipient, but that doesn’t mean that your data isn’t fair game for Google to catalog and use for their own purposes.

The solution for practitioners is: Don’t use Google services or share confidential information within Google services because you have no way of ensuring confidentiality.

One thought on “Implications for HIPAA & Health Practitioners under the new Google Privacy Policy

  1. Even more of a reason why Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s