Google Wants Your Medical Records

from the well-of-course-they-do dept

While it's been rumored for years, Google is finally revealing a little bit about its Google Health plans, as it's opening up the service to a few thousand patients of the Cleveland Clinic. Those patients will be turning over their medical records to Google which, of course, is raising security and privacy concerns. It probably doesn't help that the news of this is breaking at about the same time as reports that Google accidentally exposed Gmail accounts in Kuwait. Exposing emails is bad enough, but your health records? Obviously, one hopes that Google is doing everything possible to protect the info, but as the AP report points out, Google is not covered by HIPAA (the Health Insurance Portability and Accountability Act,), meaning that even under the best intentions of Google, handing your records over to the company could make them easier for the government or legal adversaries to get at those records, since they've left the bounds of protected communication between a doctor and patient.

Despite all of that, there is something to be said for granting individuals more power to manager their own medical records. Assuming Google could make those records more searchable, more understandable and more useful by putting additional services around them, you could see how that could be valuable. On top of that, one of the benefits of such a service could be to allow medical providers easy access to specific, relevant portions of your medical history. However, Google isn't the only player trying to build such a system (with Microsoft having already announced something similar), and as we discussed about a year ago, perhaps a better solution than a centralized system (which is prone to attack) is to allow individuals to store and manage their own records. While some people may feel comfortable trusting Google to store the records, it seems likely that plenty of others will rather control the data themselves, while still being interested in making use of the value-added features one imagines Google will be providing.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Feb 21st, 2008 @ 2:58am

    Better or worse

    Is Google better or worse than the government agencies that lose social security numbers? Is Google better or worse than the credit reporting agencies that lose (or sell) your information?

    I'm not sure what Google's track record is concerning security and privacy. Other corporations have already had spectacular failures in those areas.

    It's difficult to see how Google could do worse. It's easy to see how Google could do much better.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Kevin, Feb 21st, 2008 @ 3:44am

    HIPAA

    I'm not sure how they think that Google isn't still governed by HIPAA. The article claims that "third parties" aren't subject to HIPAA, but that's not exactly true. Any time that a hospital or doctor's office contracts out a part of their service to a third party there has to be a partnership agreement in place and the third party is also bound by HIPAA regulations. Their only source for the "third parties aren't governed by HIPAA" statement happens to be running the show at the organization who is opposed to the effort. So they might want to take that with a grain of salt and get some third-party verification of that claim.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Mike F, Feb 21st, 2008 @ 4:21am

    Targetted Ads

    If targetted ads appear alongside my medical records, what do I do if they are for funeral services!

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Haywood, Feb 21st, 2008 @ 5:02am

    Why not just put them on a Thumb Drive?

    You could carry them with you, and if they got lost at least you would know when and why.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Iron Chef, Feb 21st, 2008 @ 5:42am

    I don't know what all this hoopla is about. There have been several major studies published about consolidation of health care information into one central repository. Point is, it's nothing new.

    But overall, I think legacy AT&T was one of the first companies to consider pursuing it.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Kappen, Feb 21st, 2008 @ 6:15am

    Email leak

    I curious how someone using a ISP that caches content that flows through it is Googles fault? Seems like its either the norm in that country or a crappy ISP. Remember HTTPS://gmail.com does work too.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Feb 21st, 2008 @ 6:30am

    Google would not be considered a covered entity, thus not covered by HIPAA.

    If the article is correct, the patients give their medical records to Google. If the clinics were to give Google the records, that would be a different story, either the clinic would be in voilation of HIPAA or they would have to ensure that Google was HIPAA compliant. If you give your medical records up, that is your choice, but you can't expect protection from HIPAA.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    AVERMAN, Feb 21st, 2008 @ 6:38am

    Global System

    Wake up people smell the coffee....This is just another step for BIG Brother towards THE ONE WORLD SYSTEM. .
    AV

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Aaron, Feb 21st, 2008 @ 7:01am

    Re: HIPAA

    I worked for a prescription insurance management company a few years back, and HIPPA was a major, major factor in every move the company made, and there were definitely no doctors around. It's obvious that Google would be covered by HIPPA, if not automatically by law, then by their lawyers signing on in order to make the service viable. Who's going to hand over their records to a company that makes no promise of security?

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Dan, Feb 21st, 2008 @ 7:05am

    Google is the only one of the major sites would did not turn there search information over to the Government when requested because they cared about the consumer's confidentiality.

    Anybody who does not trust Google, does not know Google. They are the opposite of Microsoft!

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Tom Milewski, Feb 21st, 2008 @ 7:06am

    Not Google's Fault

    "It probably doesn't help that the news of this is breaking at about the same time as reports that Google accidentally exposed Gmail accounts in Kuwait."

    -- It's not Google's fault... The ISP was caching the content.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Feb 21st, 2008 @ 7:06am

    Aaron, of course a prescription insurance management company was covered by HIPAA, you paid for prescriptions, you had access to medical information from doctors and hospitals.

    Google doesn't access the medical information through those same channels, the patients give them the information. If someone walks up to you and hands you their medical records, would that make you a covered entity? Of course not.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Steve Jones, Feb 21st, 2008 @ 7:24am

    Who other than people with some std or doctors give a shit about medical records? Most people could care less if someone finds out they broke their arm in the 3rd grade, had crabs in collage, have high blood pressure, etc. The don't want insurance companies to know if they are getting new insurance, and maybe banks if they are trying to get a home loan, but guess what both of those groups get the information.

    It was doctors that used the AIDS scare as a scare tactic to get HIPAA pushed through, oh, go protest, they are going to discriminate against people with AIDS, so go out and call them all sexists, and embarrass them into passing this very, very bad law, that not only doubled the cost of medical treatment in the us, but exposes the public to bad doctors/medicines for a much longer time before they are discovered. Doctors and hospitals didn't like that lawyers were mining databases of medical records finding patterns that allowed them to easily detect bad doctors and bad hospitals.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    fubar, Feb 21st, 2008 @ 7:39am

    electronic medical records

    If you're anxious about your electronic medical records being secured appropriately, I have terrible news for you. As a physician, I am far more confident that the controls over my electronic data are robust than those over all my paper records. Put on a suit and a bow-tie, grab a stethoscope and walk into any busy ward in your local hospital and start reading patient's charts. If anyone asks who you are or what you're doing, let me know. I'd be impressed..

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Feb 21st, 2008 @ 7:40am

    In the past, just how did lawyers mine databases of medical records? There were no databases because medical records were not electronic?

    HIPAA was in response to electronic medical records, just like Part 11 was in response to electronic signatures.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Feb 21st, 2008 @ 8:02am

    Fubar, sure, you could walk in and read patients charts, but it would be hard for a hacker in Serbia to read every chart that way. With electronic records, not so much.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Feb 21st, 2008 @ 8:07am

    Manage their own?

    You really want all those people who's machines are "owned" to manage their own medical data?

    Use a professional. Is that Google? Remains to be seen. Could be, they have an excellent privacy track record so far.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    bobbknight, Feb 21st, 2008 @ 8:11am

    I Fix Medical Equipment

    I am a private third party provider of medical equipment repair, and as such I have had to sign HIPAA agreements with the providers of medical services who I serve.
    I was also required to give my policy and procedures to one client as part of my contracting, which also included a policy on HIPAA compliance.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Tom Scrace, Feb 21st, 2008 @ 8:49am

    Privacy Concerns Unwarranted

    If this were a mandatory government project to centralise all your personal information in one database then the outcry would be fully justified. In this case, though, it is a private company providing an entirely voluntary service. It is when non-submission to a database becomes a crime against the state, and not just a company, that we should object.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    CPT Moose, Feb 21st, 2008 @ 9:31am

    Ever try to get your Records fixed

    Ever tried to get your credit record fixed? Now what if your MEDICAL record at GOOGLE incorrectly reports you as DEAD - how do you get that fixed? What if you (as a guy) have an abortion - due to a records foul up on Google's record keeping system? You ever try to get someone at Google to FIX any record? Have fun trying - and with your medical record mixed up with someone else next - duhhhh...it was a typo...

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Michael Evans, Feb 22nd, 2008 @ 4:25am

    PGP/GPG Sign the data, use CD/DVD/Thumbdrive...

    Allowing the patient to keep their own records instantly made me think of every portable way of storing data.

    I think that would be a great idea, as if you're traveling and need access to your medical data it's all right there.

    Unfortunately, it's all right there.


    The solution is to use cryptographic tools that are completely open and free. Any GPG is a free (open source) version of the OpenPGP standard. Doctors could sign the portions of the records they create, and the whole thing could be signed encoded to unlock only with the patient's private key.

    Now, keeping the private key secure would be an issue, however if this is occurring within an expanded environment, then the data could be encoded using a symmetric key, which is then it's self encoded to only be unlocked with the private key. The tool could then provide or remove that one file, thus authorizing access or not.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Dr Julio Bonis, Feb 22nd, 2008 @ 6:52pm

    Another alternative

    People is really sensible to the confidentiality of their medical data. It is critical information.

    The danger with Google Health and HealthVault is that somebody in the future crack their security systems.

    Also the fact about a private company getting data about your health must concern us.

    There is an alternative, http://www.keyose.com/, designed by the doctor that described the first case of Wiiitis, its philosophy is based on total anonymous users. A smart mechanism allows the store of clinical record without asking you any personal data (not even your email).

    Confidentiality is in such a way assured.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Benjamin Wright, Feb 25th, 2008 @ 6:02am

    Health Privacy Agreement

    Maybe patients can use contract law to enhance the privacy of their health records. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    avery, Nov 17th, 2008 @ 1:59pm

    i love you

    i love you tina!!!!!!!!!!!!1♥

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    yasmin, Nov 17th, 2008 @ 2:02pm

    yummy exotic food

    yummy pee and poop

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    aavery, Nov 17th, 2008 @ 2:05pm

    poop

    i eaqt poop for breckfast everEday

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    aavery, Nov 17th, 2008 @ 2:05pm

    poop

    i eaqt poop for breckfast everEday

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Ivy, Nov 17th, 2008 @ 2:05pm

    poop

    i eaqt poop for breckfast everEday

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    UK 4th Reich marching to stamp on it's citizen's r, Feb 13th, 2014 @ 5:20pm

    Re: Re: HIPAA

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This