Google’s New Privacy Policy May Violate HIPAA, Congresswoman Says

google-health-medicalSeveral members of Congress continued to express reservations about Google’s new privacy policy after a closed-door meeting on Thursday, with one House member saying that Google’s handling of sensitive medical searches may violate HIPAA, the Health Insurance Portability and Accountability Act.

Members of the House Energy and Commerce committee grilled Pablo Chavez, Google’s director of public policy, and Google attorney Michael Yang for about two hours. After the meeting, several of the Representatives expressed their unhappiness with Google’s answers on a variety of privacy issues — questions brought on by Google’s recent announcement that it will combine all of its privacy policies into one, which will allow the company to share user information across its services.

That last point, according to Representative Mary Bono Mack, may leave Google in violation of HIPAA, a law that protects how personal health information may be shared. Bono Mack explained her concerns to USA Today:

“…say you do a Google search for cervical cancer and you forget to sign out. Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.”

Bono Mack is suggesting that Google might be violating HIPAA if it remembers the “cervical cancer” search after the user moves on from search to another Google product, like Gmail or YouTube (or any other).

But is Google actually compelled to follow the HIPAA requirements? According to the Health & Human Services website, the law applies to groups that meet the definition of a “covered entity” — health care providers (like doctors and nurses), health plans (like insurance companies and HMOs) and health care clearinghouses.

Google is certainly not a health care provider or a health plan, but is it a clearinghouse? My non-expert reading of the definition suggests the answer is “no.”

google-health-logoGoogle has been involved in health information via its Google Health product, but that just shut down on January 1st. Even when it was active, Google said it wasn’t bound by HIPAA. Here’s the opening sentence of the old/current Google Health privacy policy:

Unlike a doctor or health plan, Google Health is not regulated by the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes data confidentiality standards for patient health information.

Furthermore, Google’s new privacy policy, which takes effect on March 1st, includes language that seems to say ads won’t be personalized based on health-related activity:

When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.

Bono Mack tells USA Today that there will be more Congressional hearings about online privacy and that she “pressed” Google to be there. But, based on my non-expert reading of the law, the HIPAA angle may not get very far in those hearings.

We’ve been covering the non-search elements of Google’s new privacy policy on our sister site, Marketing Land. See below for several related articles offering background and other angles.

Related Entries

(Stock image via Used under license.)

Related Topics: Channel: Industry | Google: Health | Google: Legal | Google: Privacy | Legal: Privacy | Top News


About The Author: is Editor-In-Chief of Search Engine Land. His news career includes time spent in TV, radio, and print journalism. His web career continues to include a small number of SEO and social media consulting clients, as well as regular speaking engagements at marketing events around the U.S. He recently launched a site dedicated to Google Glass called Glass Almanac and also blogs at Small Business Search Marketing. Matt can be found on Twitter at @MattMcGee and/or on Google Plus. You can read Matt's disclosures on his personal blog.

Connect with the author via: Email | Twitter | Google+ | LinkedIn


Get all the top search stories emailed daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. Comments may also be removed if they are posted from anonymous accounts. You can read more about our comments policy here.
  • steveplunkett

    Funny how people shout “the sky is falling” and then they realize it’s just a parachute with clouds painted on it.

    HIPAA is for medical records and patient records confidentiality.

    Things like NOT having your social security number as a patient identifier, etc..

    When was the last time you gave your SSN in a google search.

    How does Google know i have “Cervical Cancer” in the example above? Maybe i’m a med student doing research, maybe my girlfriend’s aunt twice removed has it and she asked me a question about it….

    So ho can we associate any medical search query with the health condition of the user.

    answer: We can’t.


  • Matt McGee

    Excellent point, Steve – thanks.

  • Ed Hemphill

    Look – more Congress-persons talking about Internet related stuff they don’t know about. HIPAA has nothing to do with ISPs, search engines, or any of the above. NOR does HIPAA state ANYTHING about how information should be stored or handled on a technical level in terms of IT. It has nothing to do with Google.

    Go read the law Congress wrote, Congressman.

  • aprilsage

    Granted that the language of the HITECH citations doesn’t have a neat category that fits Google.

    But the purpose is to safeguard a patient’s health information. Google may not be a Covered Entity, or be an official Business Associate that is contracted by a Covered Entity, but there is no doubt that Google stores personal health information that CAN be tied to an individuals. Users have used Google to email medical records, descriptions of medical issues about themselves or their family or friends to other people in a manner that would allow the direct connection between that data and the patient.

    Since no one is privileged to understand the full scope of connectivity between Google’s services, it’s pretty tough to judge exactly how far you could track medical information and tie it to an individual.

    While Google is trying to avoid legal culpability, they cannot deny that they house PHI. IMO, it’s irresponsible to try to duck the protection of that data.

    For example, let’s say that Google suffers a security breech or gets a federal request to turn over data that includes medical information about patients. Do they have any obligation to report that to HHS so that the individuals whose medical information was exposed can be made aware?

    Would Google have cancelled Google Health if they weren’t worried about HIPAA responsibility? Probably not. A lot of people used it. Does any think that Google has personally identifiable health information still stored in Google gmail, docs, picassa, or other places? Of course it does. Should they be responsible with that data and be held to the same standards asother people who touch and store PHI? Of course they should. Should they be able to connect health related information with an individual across services? Not a great idea.

  • John Proffitt

    HIPAA is a law that governs health care providers (Covered Entities) and businesses related to the delivery of health care (Business Associates). Google is not a health care provider or a related business. Therefore the law does not apply to them. It really is that simple.

    It would be nice if Google cared about our privacy as users and citizens, especially when it comes to health information. But their business model is diametrically opposed to protecting our privacy. We all use Google’s services at our own risk.

    If Congress wants to write a law that would bar Google or similar businesses from sharing or revealing health information, it is welcome to do so.

  • Nathaniel Bailey

    “Google in violation of HIPAA, a law that protects how personal health information may be shared”

    So how is someone searching for “cervical cancer” giving any personal medical details? Its not like people are getting personal health advice from searching on google, and if that is the case, should all health related websites not fall under this HIPAA as well?

    Yet another company trying to have a dig at google just to get more well known IMHO!

Get Our News, Everywhere!

Daily Email:

Follow Search Engine Land on Twitter @sengineland Like Search Engine Land on Facebook Follow Search Engine Land on Google+ Get the Search Engine Land Feed Connect with Search Engine Land on LinkedIn Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Search News Recap!

SearchCap is a once-per-day newsletter update - sign up below and get the news delivered to you!



Search Engine Land Periodic Table of SEO Success Factors

Get Your Copy
Read The Full SEO Guide