Monday, May 19, 2008

Google Health, privacy, and HIPAA



Ever since we announced in late February that we were launching a pilot program with the Cleveland Clinic and building Google Health -- a new service for users to store and organize their health information online -- we've received questions and followed discussions in the media and blogosphere about how the service might work, how it will benefit users, and how it will protect their privacy.

Our product counsel team works with our product and engineering teams to think about and work through the privacy implications of new products under development -- from inception to launch. I started working with the health team at Google several years ago. Early on, we launched the Google Health Advisory Council, made up of health industry veterans, in part to solicit feedback from privacy experts and advocates about Google Health's features and privacy practices.

Now that we've officially launched Google Health, we’d like to describe in more detail the privacy protections we’ve designed and address some of the most common questions surrounding health privacy.

At its foundation, Google Health is about putting people in control of their health information. This is both its greatest benefit to users and its strongest privacy protection. Google Health puts users in complete control over who views their health information and who can add information to their profile.

We do not sell user health information, and our Google Health privacy policy tells people in a simple, straightforward way what information we collect, how we use it, and the steps we take to keep it safe. We also have strict data security policies and measures in place to limit access to sensitive information and to protect against data breaches.

Some have asked how Google Health relates and compares to the privacy protections for patients under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes privacy standards for patient health information. Unlike a doctor or health plan, Google Health is not regulated by HIPAA because Google does not provide health care services.

Instead, Google Health acts on behalf of users to store their medical records. Our privacy policy governs what information the product collects and how we use it, and any violation of that policy can be enforced by the Federal Trade Commission, which takes action against companies that engage in unfair and deceptive trade practices -- including violations of their privacy policies.

Additionally, some third party services integrated with Google Health are covered by HIPAA, and those that aren't must comply with Google Health's Developer Policies, which establish strict privacy standards for how they collect, use, or share user information.

This chart describes how Google Health's privacy practices compare to those contained in HIPAA.

We believe that Google Health will bring tremendous value to our users. We also understand the responsibility that comes with storing sensitive health information and are confident that putting control squarely in the hands of users is the best way to build a service where people can store, organize, and manage their medical records online -- and keep them private and secure.

13 comments:

Dan said...

One thing I have not seen yet is the actual measures being used to protect this information. I'm not worried about my neighbor getting my health data; I'm worried about a Google employee getting my data.

There has been a lot of talk about privacy laws (which, like all laws, do not prevent anything -- they only allow for retribution years after the fact). I want to know about what kind of encryption is being used, can I select my own seed (a la GPG), what is stored where, etc.

I think Google Health is a great idea as a computer guy and a health-care professional -- but I need a lot more than a promise to convince me to upload that kind of data.

Marc said...

I still think that Google Healthcare is going to have to sign a business associate agreement with certain partners and raise the expectation that it will protect data between interested parties who are not patients to HIPAA rules. The use of data where the patient is not directly involved will happen in a chain of information is going to happen in a PHR.

Palin Ningthoujam said...

Talk about privacy and data safety and this is what I found.

Hit Pause On The Evil Button: Google Assists In Arrest Of Indian Man

http://snipurl.com/29q8k

Hunscher said...

Like dan, I think this is a great idea, and just posted in my own blog to that effect. However, I also agree with him that the real risk is inside Google.

Unfortunately, though, this risk is endemic to health care institutions. UCLA recently fired employees for looking at Hollywood celebrities' health records, and it wasn't the first time this happened. Malfeasance happens. So does misfeasance, as when health system employees lose a laptop containing HIPAA PHI, like the VA incident in which millions of veterans' records were compromised.

If we want to worry about privacy invasion of our online data, I'd be more worried about credit card transactions. A perpetrator with access to your cc info, including your ZIP and the little number on the back, could do a lot of damage in a very short period of time.

Mehmet Munur said...

It appears that the American Health Information Community formed under the U.S. Department of Health and Human Services is in the process of making recommendations for regulating electronic health information exchange networks such as Google Health and Microsoft HealthVault.

Transcripts:
http://www.hhs.gov/healthit/ahic/materials/transcript/ce_012908.html

http://www.hhs.gov/healthit/ahic/materials/transcript/cps_041708.html

d said...

It is not clear to me how Google Health is going to offer me this portable service if I am working in Europe, please expand?

Moreover, it is not clear how Google Health is going to deal with complex litigation issues, any thoughts?

Terra said...

One thing I have not seen yet is the actual measures being used to protect this information. I'm not worried about my neighbor getting my health data; I'm worried about a Google employee getting my data.
Plenty of employees already have access to your data in various ways.

Probably the worst thing that can happen is if the data moves out of the country.

networkvillage said...

maybe not the best forum for this question – but will google app engine provide any protection for businesses governed by the HIPAA act – specifically can I use gae and still be hipaa compliant. Figured I’d take a shoot in the dark.

alex said...

Medical Records Going Green.
Alex Papas the creator and the developer of the prepaid phone cards in the United States ,has just created a new medical breakthrough called The MedeFileCard. MedeFile's centralized, confidential electronic portfolio gives you 24/7 access to your medical history. No more wasting time and filling out paperwork when you go to the doctor or the hospital. Your Medical records going Green. Alex Papas is donating $1 billion dollars in the medefilecard to companies, foundations, charities and churches to give to their customers, employees and their families. If you would like to donate the medefilecard to your company, charity or foundation contact Alex Papas at 954 729 8888

Mark said...

Quoted:"At its foundation, Google Health is about putting people in control of their health information. This is both its greatest benefit to users and its strongest privacy protection. Google Health puts users in complete control over who views their health information and who can add information to their profile."

What do you mean by this paragraph exactly?




free psp games

reef said...

please help my friend.. a lot of people wa trying to ruin her personal privacy usingyour site we want to request to atleast block the site of better yet formulate a way on how to protect a persons life using your site...... a lot of people take this as an opportuniy for them to ruin ones life and its not good for someone who is trying to move on but cant ....please help.

wow golds 987 said...

Place an order for wow gold on www.mmoinn.com is the best and securest way to power level your character to your desired high level fast. We have an outstanding world of cheapest wow gold experience. We have done a great number of orders for cheapest wow gold and have hundreds of orders for wow gold wow currently. We are sure that you cant get such an outstanding cheapest wow gold service as the same as we do. Our guys for cheapest wow gold are skilled gamers for years. They know how to power level your character in your satisfied way.

dd0251 said...

nitrile gloves
spray booth
香肠
靓汤
学湘菜
韩国烧烤
酱货
熟食
药膳培训
鲍参翅肚
烧腊
烤全羊
官府菜
凉菜制作
杭帮菜学校
重庆火锅
烧烤店培训
清真菜
日本料理培训
比萨饼培训
巴西烤肉
日式铁板烧
西式快餐
韩国烧烤培训学校
法餐培训
山西面食
无糖点心
早点
小吃
包子培训
凉皮
兰洲拉面
兰州拉面
饺子培训
面馆
粥店
粥火锅
欧点
国际认证
食品雕刻
面塑学校
满汉全席培训
水吧培训
冰点
饮品培训
饮料
冰激凌
果冻
巧克力学校
餐饮管理
海外劳务派遣
包厨房
蛋糕培训
澳洲移民培训技术移民
行政总厨
厨房成本控制
餐饮职业经理人培训认证
厨房的管理
行政总厨
蛋糕裱花
冰淇淋
冰沙
蛋糕制作
糕点
果冻
果冻布丁
果冻制作
果盘
汉堡
烘培
花式冰咖啡
花式果盘
咖啡制作
日式面包
生日蛋糕
调酒
无糖巧克力
珍珠奶茶
烤鸭
怎么做烤串
设计新菜
卤味
酱板鸭制作
川菜
全羊宴
餐饮管理
中餐培训
美食
中餐
厨师培训
食艺雕刻
中式美食
烤全羊
老北京家常菜
火锅
淮扬名菜
杭帮菜的做法
豆腐脑的制作
潮州菜
厨师长管理
烤香肠
中国传统菜
斋菜的做法
粤菜
盐水鸭
湘菜
铁板烧
熟食制作
素食
涮羊肉
酸菜鱼
食品营养
烧烤
腊肉制作
全鱼宴
学烹调
制作泡菜
卤肉
鲁菜制作
凉菜制作
香味腊肉
杂粮
烧麦的做法
面塑
果盘制作
做月饼
抛饼
兰州拉面
烧饼做法
刀削面
汤包的做法
包粽子
肠粉的做法
清真菜
食雕
包饺子
早茶
香河肉饼
汤圆的做法
日本拉面
凉粉制作
点心制作
凉皮制作
面点
面馆
粥的做法
面食的做法
小吃
巴西烤肉
法式面包
咖喱饭
韩国料理
韩国烧烤
日本料理
水果沙拉
寿司
泰国菜
西餐做法
行政总厨
盐局鸡
意大利面做法
家庭厨艺
家常菜
小吃
中国菜
素斋
中式烹调
中式面点
西式烹调
西式面点
食品雕刻
中式烹调
中式面点
西式烹调
西式面点
食品雕刻