Google and HIPAA
“Unlike a doctor or health plan, Google Health is not regulated by the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes data confidentiality standards for patient health information.” (via Google)
This is unfortunately true. If you visit the Health and Human Services (HHS) website those bound by HIPAA are health care providers, health plans, and health care clearing houses. Google is none of these entities, so therefore it gets by. There is no way that any court of law would hold Google accountable in a HIPAA related case. Google is a private company that offers free services to users. By using their services, you don’t necessarily have the rights to control what happens to the services.
“if you’re not paying for something, you’re not the customer; you’re the product being sold” (via lifehacker.com)
Implications for Individuals
“[…] say you do a Google search for cervical cancer and you forget to sign out. Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.”
Google’s response is that those individuals can use Google services, like Google Search, without having to log in to their account. However, if you are also a Gmail user and maybe you email with your doctor’s office then Google has that information more directly linked to your personal data. Does Google violate HIPAA in that case? No, because they say (to paraphrase), ‘you don’t want us to track you, then don’t login.’
For individuals, the solution is to diversify online services or stop using Google. If you don’t want your information tracked and collected by one entity start using a different email service, use Word instead of Google Docs, and if you don’t want information linked to your specific Google account, don’t login and search for everything you want to know about. That isn’t to say that other companies don’t also track and collect our data, but at least it won’t all be in one place. The hard part is that Google is good at what it does and for many, myself included, it will be hard to let go of the ease of Google services.
Implications for Health Practitioners
Based on the correspondence between Google and Congress as well as their stated policy that they aren’t bound by HIPAA, the responsibility falls on the shoulders of the health practitioners. In our clinical research program every client gets a number to ensure the confidentiality of their data. I use client numbers with everything that I do on Gmail and Google Voice, but sometimes background information about clients is sent to my Gmail that could reveal their identities.
The solution for practitioners is: Don’t use Google services or share confidential information within Google services because you have no way of ensuring confidentiality.