• http://www.twitter.com/rockfishsearch steveplunkett

    Funny how people shout “the sky is falling” and then they realize it’s just a parachute with clouds painted on it.

    HIPAA is for medical records and patient records confidentiality.

    Things like NOT having your social security number as a patient identifier, etc..

    When was the last time you gave your SSN in a google search.

    How does Google know i have “Cervical Cancer” in the example above? Maybe i’m a med student doing research, maybe my girlfriend’s aunt twice removed has it and she asked me a question about it….

    So ho can we associate any medical search query with the health condition of the user.

    answer: We can’t.

    =)

  • Matt McGee

    Excellent point, Steve – thanks.

  • Ed Hemphill

    Look – more Congress-persons talking about Internet related stuff they don’t know about. HIPAA has nothing to do with ISPs, search engines, or any of the above. NOR does HIPAA state ANYTHING about how information should be stored or handled on a technical level in terms of IT. It has nothing to do with Google.

    Go read the law Congress wrote, Congressman.

  • http://www.onlinetech.com aprilsage

    Granted that the language of the HITECH citations doesn’t have a neat category that fits Google.

    But the purpose is to safeguard a patient’s health information. Google may not be a Covered Entity, or be an official Business Associate that is contracted by a Covered Entity, but there is no doubt that Google stores personal health information that CAN be tied to an individuals. Users have used Google to email medical records, descriptions of medical issues about themselves or their family or friends to other people in a manner that would allow the direct connection between that data and the patient.

    Since no one is privileged to understand the full scope of connectivity between Google’s services, it’s pretty tough to judge exactly how far you could track medical information and tie it to an individual.

    While Google is trying to avoid legal culpability, they cannot deny that they house PHI. IMO, it’s irresponsible to try to duck the protection of that data.

    For example, let’s say that Google suffers a security breech or gets a federal request to turn over data that includes medical information about patients. Do they have any obligation to report that to HHS so that the individuals whose medical information was exposed can be made aware?

    Would Google have cancelled Google Health if they weren’t worried about HIPAA responsibility? Probably not. A lot of people used it. Does any think that Google has personally identifiable health information still stored in Google gmail, docs, picassa, or other places? Of course it does. Should they be responsible with that data and be held to the same standards asother people who touch and store PHI? Of course they should. Should they be able to connect health related information with an individual across services? Not a great idea.

  • http://about.me/jmproffitt John Proffitt

    HIPAA is a law that governs health care providers (Covered Entities) and businesses related to the delivery of health care (Business Associates). Google is not a health care provider or a related business. Therefore the law does not apply to them. It really is that simple.

    It would be nice if Google cared about our privacy as users and citizens, especially when it comes to health information. But their business model is diametrically opposed to protecting our privacy. We all use Google’s services at our own risk.

    If Congress wants to write a law that would bar Google or similar businesses from sharing or revealing health information, it is welcome to do so.

  • http://www.nathanielbailey.co.uk Nathaniel Bailey

    “Google in violation of HIPAA, a law that protects how personal health information may be shared”

    So how is someone searching for “cervical cancer” giving any personal medical details? Its not like people are getting personal health advice from searching on google, and if that is the case, should all health related websites not fall under this HIPAA as well?

    Yet another company trying to have a dig at google just to get more well known IMHO!