Google and HIPAA
“Unlike a doctor or health plan, Google Health is not regulated by the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes data confidentiality standards for patient health information.” (via Google)
This is unfortunately true. If you visit the Health and Human Services (HHS) website those bound by HIPAA are health care providers, health plans, and health care clearing houses. Google is none of these entities, so therefore it gets by. There is no way that any court of law would hold Google accountable in a HIPAA related case. Google is a private company that offers free services to users. By using their services, you don’t necessarily have the rights to control what happens to the services.
“if you’re not paying for something, you’re not the customer; you’re the product being sold” (via lifehacker.com)
Implications for Individuals
“[…] say you do a Google search for cervical cancer and you forget to sign out. Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.”
Google’s response is that those individuals can use Google services, like Google Search, without having to log in to their account. However, if you are also a Gmail user and maybe you email with your doctor’s office then Google has that information more directly linked to your personal data. Does Google violate HIPAA in that case? No, because they say (to paraphrase), ‘you don’t want us to track you, then don’t login.’
For individuals, the solution is to diversify online services or stop using Google. If you don’t want your information tracked and collected by one entity start using a different email service, use Word instead of Google Docs, and if you don’t want information linked to your specific Google account, don’t login and search for everything you want to know about. That isn’t to say that other companies don’t also track and collect our data, but at least it won’t all be in one place. The hard part is that Google is good at what it does and for many, myself included, it will be hard to let go of the ease of Google services.
Implications for Health Practitioners
Based on the correspondence between Google and Congress as well as their stated policy that they aren’t bound by HIPAA, the responsibility falls on the shoulders of the health practitioners. In our clinical research program every client gets a number to ensure the confidentiality of their data. I use client numbers with everything that I do on Gmail and Google Voice, but sometimes background information about clients is sent to my Gmail that could reveal their identities.
The solution for practitioners is: Don’t use Google services or share confidential information within Google services because you have no way of ensuring confidentiality.
Even more of a reason why Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.