Google Wants Your Medical Records

from the well-of-course-they-do dept

While it’s been rumored for years, Google is finally revealing a little bit about its Google Health plans, as it’s opening up the service to a few thousand patients of the Cleveland Clinic. Those patients will be turning over their medical records to Google which, of course, is raising security and privacy concerns. It probably doesn’t help that the news of this is breaking at about the same time as reports that Google accidentally exposed Gmail accounts in Kuwait. Exposing emails is bad enough, but your health records? Obviously, one hopes that Google is doing everything possible to protect the info, but as the AP report points out, Google is not covered by HIPAA (the Health Insurance Portability and Accountability Act,), meaning that even under the best intentions of Google, handing your records over to the company could make them easier for the government or legal adversaries to get at those records, since they’ve left the bounds of protected communication between a doctor and patient.

Despite all of that, there is something to be said for granting individuals more power to manager their own medical records. Assuming Google could make those records more searchable, more understandable and more useful by putting additional services around them, you could see how that could be valuable. On top of that, one of the benefits of such a service could be to allow medical providers easy access to specific, relevant portions of your medical history. However, Google isn’t the only player trying to build such a system (with Microsoft having already announced something similar), and as we discussed about a year ago, perhaps a better solution than a centralized system (which is prone to attack) is to allow individuals to store and manage their own records. While some people may feel comfortable trusting Google to store the records, it seems likely that plenty of others will rather control the data themselves, while still being interested in making use of the value-added features one imagines Google will be providing.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Google Wants Your Medical Records”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Better or worse

Is Google better or worse than the government agencies that lose social security numbers? Is Google better or worse than the credit reporting agencies that lose (or sell) your information?

I’m not sure what Google’s track record is concerning security and privacy. Other corporations have already had spectacular failures in those areas.

It’s difficult to see how Google could do worse. It’s easy to see how Google could do much better.

Kevin says:


I’m not sure how they think that Google isn’t still governed by HIPAA. The article claims that “third parties” aren’t subject to HIPAA, but that’s not exactly true. Any time that a hospital or doctor’s office contracts out a part of their service to a third party there has to be a partnership agreement in place and the third party is also bound by HIPAA regulations. Their only source for the “third parties aren’t governed by HIPAA” statement happens to be running the show at the organization who is opposed to the effort. So they might want to take that with a grain of salt and get some third-party verification of that claim.

Aaron says:


I worked for a prescription insurance management company a few years back, and HIPPA was a major, major factor in every move the company made, and there were definitely no doctors around. It’s obvious that Google would be covered by HIPPA, if not automatically by law, then by their lawyers signing on in order to make the service viable. Who’s going to hand over their records to a company that makes no promise of security?

Anonymous Coward says:

Google would not be considered a covered entity, thus not covered by HIPAA.

If the article is correct, the patients give their medical records to Google. If the clinics were to give Google the records, that would be a different story, either the clinic would be in voilation of HIPAA or they would have to ensure that Google was HIPAA compliant. If you give your medical records up, that is your choice, but you can’t expect protection from HIPAA.

Anonymous Coward says:

Aaron, of course a prescription insurance management company was covered by HIPAA, you paid for prescriptions, you had access to medical information from doctors and hospitals.

Google doesn’t access the medical information through those same channels, the patients give them the information. If someone walks up to you and hands you their medical records, would that make you a covered entity? Of course not.

Steve Jones says:

Who other than people with some std or doctors give a shit about medical records? Most people could care less if someone finds out they broke their arm in the 3rd grade, had crabs in collage, have high blood pressure, etc. The don’t want insurance companies to know if they are getting new insurance, and maybe banks if they are trying to get a home loan, but guess what both of those groups get the information.

It was doctors that used the AIDS scare as a scare tactic to get HIPAA pushed through, oh, go protest, they are going to discriminate against people with AIDS, so go out and call them all sexists, and embarrass them into passing this very, very bad law, that not only doubled the cost of medical treatment in the us, but exposes the public to bad doctors/medicines for a much longer time before they are discovered. Doctors and hospitals didn’t like that lawyers were mining databases of medical records finding patterns that allowed them to easily detect bad doctors and bad hospitals.

fubar says:

electronic medical records

If you’re anxious about your electronic medical records being secured appropriately, I have terrible news for you. As a physician, I am far more confident that the controls over my electronic data are robust than those over all my paper records. Put on a suit and a bow-tie, grab a stethoscope and walk into any busy ward in your local hospital and start reading patient’s charts. If anyone asks who you are or what you’re doing, let me know. I’d be impressed..

Tom Scrace (user link) says:

Privacy Concerns Unwarranted

If this were a mandatory government project to centralise all your personal information in one database then the outcry would be fully justified. In this case, though, it is a private company providing an entirely voluntary service. It is when non-submission to a database becomes a crime against the state, and not just a company, that we should object.

CPT Moose says:

Ever try to get your Records fixed

Ever tried to get your credit record fixed? Now what if your MEDICAL record at GOOGLE incorrectly reports you as DEAD – how do you get that fixed? What if you (as a guy) have an abortion – due to a records foul up on Google’s record keeping system? You ever try to get someone at Google to FIX any record? Have fun trying – and with your medical record mixed up with someone else next – duhhhh…it was a typo…

Michael Evans (profile) says:

PGP/GPG Sign the data, use CD/DVD/Thumbdrive...

Allowing the patient to keep their own records instantly made me think of every portable way of storing data.

I think that would be a great idea, as if you’re traveling and need access to your medical data it’s all right there.

Unfortunately, it’s all right there.

The solution is to use cryptographic tools that are completely open and free. Any GPG is a free (open source) version of the OpenPGP standard. Doctors could sign the portions of the records they create, and the whole thing could be signed encoded to unlock only with the patient’s private key.

Now, keeping the private key secure would be an issue, however if this is occurring within an expanded environment, then the data could be encoded using a symmetric key, which is then it’s self encoded to only be unlocked with the private key. The tool could then provide or remove that one file, thus authorizing access or not.

Dr Julio Bonis (user link) says:

Another alternative

People is really sensible to the confidentiality of their medical data. It is critical information.

The danger with Google Health and HealthVault is that somebody in the future crack their security systems.

Also the fact about a private company getting data about your health must concern us.

There is an alternative,, designed by the doctor that described the first case of Wiiitis, its philosophy is based on total anonymous users. A smart mechanism allows the store of clinical record without asking you any personal data (not even your email).

Confidentiality is in such a way assured.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...