Implications for HIPAA & Health Practitioners under the new Google Privacy Policy

Much worry, fear, and writing has already come out about Google’s new catch-all privacy policy. I for one am not surprised that they have finally created one privacy policy for their entire suite of services. Honestly, I had already assumed that Google was sharing information across its platforms about me. The one idea that really stood out to me in Google’s new privacy policy is that items in your Gmail and Google Voice would no longer be technically private. Working in a clinical research setting at a university-based School of Medicine with clients who are ensured confidentiality, I am worried. Isn’t Google violating HIPAA in some cases by sharing this information that we believe to be private?

Google and HIPAA

I am not the first to write about Google’s new privacy policy in relation to HIPAA (Health Insurance Portability and Accountability Act). The most important piece in understanding Google’s policy in regards to HIPAA is that Google says that it is not bound by HIPAA.

“Unlike a doctor or health plan, Google Health is not regulated by the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes data confidentiality standards for patient health information.” (via Google)

This is unfortunately true. If you visit the Health and Human Services (HHS) website those bound by HIPAA are health care providers, health plans, and health care clearing houses. Google is none of these entities, so therefore it gets by. There is no way that any court of law would hold Google accountable in a HIPAA related case. Google is a private company that offers free services to users. By using their services, you don’t necessarily have the rights to control what happens to the services.

“if you’re not paying for something, you’re not the customer; you’re the product being sold” (via

Implications for Individuals

Many, including Congress, have come out against Google’s new privacy policy and especially as it relates to HIPAA and health information. Representative Mary Bono Mack worries that Google could track sensitive health information.

“[…] say you do a Google search for cervical cancer and you forget to sign out. Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.”

Google’s response is that those individuals can use Google services, like Google Search, without having to log in to their account. However, if you are also a Gmail user and maybe you email with your doctor’s office then Google has that information more directly linked to your personal data. Does Google violate HIPAA in that case? No, because they say (to paraphrase), ‘you don’t want us to track you, then don’t login.’

For individuals, the solution is to diversify online services or stop using Google. If you don’t want your information tracked and collected by one entity start using a different email service, use Word instead of Google Docs, and if you don’t want information linked to your specific Google account, don’t login and search for everything you want to know about. That isn’t to say that other companies don’t also track and collect our data, but at least it won’t all be in one place. The hard part is that Google is good at what it does and for many, myself included, it will be hard to let go of the ease of Google services.

Implications for Health Practitioners

For Practitioners the story is more convoluted. I work for a clinical research grant where clients are ensured of the confidentiality of their information, however I am a Google user; a dedicated citizen of the Google Nation. I love their services and the ease of connecting the information that I want to use. As a result I use Gmail to communication on sensitive client matters with my Supervisors and I use Google Voice to talk and text with the clients. With the new Google privacy policy, all this information fair game for them to index and share across their platforms.

Based on the correspondence between Google and Congress as well as their stated policy that they aren’t bound by HIPAA, the responsibility falls on the shoulders of the health practitioners. In our clinical research program every client gets a number to ensure the confidentiality of their data. I use client numbers with everything that I do on Gmail and Google Voice, but sometimes background information about clients is sent to my Gmail that could reveal their identities.

Recently the School of Medicine where I am working hosted a workshop for researchers to benefit from Google tools, such as Google Docs. I emailed the individual in charge of the workshop to ask how Google’s new privacy policy might affect the way researchers use Google services. The individual seemed to be less concerned than I and said she understood it as a, “take it or leave it” policy. If you are a researcher dealing with private health information and bound by HIPAA, then there are serious implications for using Google tools for your research project. Google may state that it is dedicated to the privacy between sender and recipient, but that doesn’t mean that your data isn’t fair game for Google to catalog and use for their own purposes.

The solution for practitioners is: Don’t use Google services or share confidential information within Google services because you have no way of ensuring confidentiality.