February 21, 2008 | By Hugh D'Andrade

Google Gets Healthy

In its endless quest to wring value from users’ personal data, Google is branching out into health records. The Internet search giant has just announced a pilot project that would allow users to combine all their personal health records (PHRs) -- information about prescriptions, allergies, injuries, health history etc -- into a single new service that would be as accessible as a Gmail account.

The convenience factor is clear -- the new service would make it easier for people who may have multiple health providers to make sure their doctors all have the same information. And for people who seek medical attention while traveling, the ability to bypass their HMO's byzantine bureaucracy in order to have a prescription filled might be welcome.

Google isn't the only business interested in helping people manage their health records. Microsoft launched HealthVault last year, and WebMD and Revolution Health are also competing in this area. These services are all part of a trend towards storing PHRs online, where they can be served up to the consumer, or to the consumer's health care professionals, instantly.

But how sure can you be that your PHRs remain private and secure once Google or some other company has them in its vast and constantly growing database? Who has access to that data, and what laws exist to protect it?

It isn't that there aren't privacy standards that seek to protect your health information. The Health Insurance Portability and Accountability Act (HIPAA) provides minimum privacy standards for records kept by health care providers and insurance companies -- standards that privacy advocates say don't go far enough. But as the World Privacy Forum http://www.worldprivacyforum.org/personal_health_records.html">recently pointed out, HIPAA’s limited protections won't necessarily cover records that are handed over to a third party such as Google:

HIPAA’s protections generally do not “travel” with or follow a medical record that is disclosed to a third party outside the health care treatment and payment system. If a health care provider (such as a hospital or a pharmacy, etc.) or a health plan maintains a health care record, the record is protected under HIPAA. But if a third party that is not a covered entity under HIPAA obtains the records, then HIPAA does not usually apply.

As the AP article on Google's new program puts it:

That means a patient who agrees to transfer medical records to an external health service run by Google or Microsoft could be unwittingly making it easier for the government or some other legal adversary to obtain the information...

If the medical records aren't protected by HIPAA, the information conceivably also could be used for marketing purposes.

At the moment, Google is testing its new program in a clinic in Cleveland. When they finally unveil the finished product to the public, we’ll be watching to see what their terms of service and privacy policy say. If the consumer wants to opt out, can they? Aside from questions of how and when Google shares the data, what else are they doing with it? And what sort of privacy and security architecture are they using? Then we'll know if their stated commitment to privacy extends to their customer's private medical records.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

We're in Las Vegas for some of the world's most renowned computer security events. Check out what we're doing: eff.org/LasVegas2015

Aug 3 @ 9:11pm

MPAA seeks website blocking with one court order to bind every Internet company. https://eff.org/r.unil #SOPApower

Aug 3 @ 3:43pm

BREAKING: Sen. McConnell just filed cloture on CISA. That means he wants to move it this week. Take action now https://stopcyberspying.com

Aug 3 @ 3:13pm
JavaScript license information