Google Wants Your Medical Records
from the well-of-course-they-do dept
While it’s been rumored for years, Google is finally revealing a little bit about its Google Health plans, as it’s opening up the service to a few thousand patients of the Cleveland Clinic. Those patients will be turning over their medical records to Google which, of course, is raising security and privacy concerns. It probably doesn’t help that the news of this is breaking at about the same time as reports that Google accidentally exposed Gmail accounts in Kuwait. Exposing emails is bad enough, but your health records? Obviously, one hopes that Google is doing everything possible to protect the info, but as the AP report points out, Google is not covered by HIPAA (the Health Insurance Portability and Accountability Act,), meaning that even under the best intentions of Google, handing your records over to the company could make them easier for the government or legal adversaries to get at those records, since they’ve left the bounds of protected communication between a doctor and patient.
Despite all of that, there is something to be said for granting individuals more power to manager their own medical records. Assuming Google could make those records more searchable, more understandable and more useful by putting additional services around them, you could see how that could be valuable. On top of that, one of the benefits of such a service could be to allow medical providers easy access to specific, relevant portions of your medical history. However, Google isn’t the only player trying to build such a system (with Microsoft having already announced something similar), and as we discussed about a year ago, perhaps a better solution than a centralized system (which is prone to attack) is to allow individuals to store and manage their own records. While some people may feel comfortable trusting Google to store the records, it seems likely that plenty of others will rather control the data themselves, while still being interested in making use of the value-added features one imagines Google will be providing.
Filed Under: centralized storage, google health, medical records, privacy
Comments on “Google Wants Your Medical Records”
Better or worse
Is Google better or worse than the government agencies that lose social security numbers? Is Google better or worse than the credit reporting agencies that lose (or sell) your information?
I’m not sure what Google’s track record is concerning security and privacy. Other corporations have already had spectacular failures in those areas.
It’s difficult to see how Google could do worse. It’s easy to see how Google could do much better.
HIPAA
I’m not sure how they think that Google isn’t still governed by HIPAA. The article claims that “third parties” aren’t subject to HIPAA, but that’s not exactly true. Any time that a hospital or doctor’s office contracts out a part of their service to a third party there has to be a partnership agreement in place and the third party is also bound by HIPAA regulations. Their only source for the “third parties aren’t governed by HIPAA” statement happens to be running the show at the organization who is opposed to the effort. So they might want to take that with a grain of salt and get some third-party verification of that claim.
Re: HIPAA
I worked for a prescription insurance management company a few years back, and HIPPA was a major, major factor in every move the company made, and there were definitely no doctors around. It’s obvious that Google would be covered by HIPPA, if not automatically by law, then by their lawyers signing on in order to make the service viable. Who’s going to hand over their records to a company that makes no promise of security?
Targetted Ads
If targetted ads appear alongside my medical records, what do I do if they are for funeral services!
Why not just put them on a Thumb Drive?
You could carry them with you, and if they got lost at least you would know when and why.
I don’t know what all this hoopla is about. There have been several major studies published about consolidation of health care information into one central repository. Point is, it’s nothing new.
But overall, I think legacy AT&T was one of the first companies to consider pursuing it.
Email leak
I curious how someone using a ISP that caches content that flows through it is Googles fault? Seems like its either the norm in that country or a crappy ISP. Remember https://gmail.com does work too.
Google would not be considered a covered entity, thus not covered by HIPAA.
If the article is correct, the patients give their medical records to Google. If the clinics were to give Google the records, that would be a different story, either the clinic would be in voilation of HIPAA or they would have to ensure that Google was HIPAA compliant. If you give your medical records up, that is your choice, but you can’t expect protection from HIPAA.
Global System
Wake up people smell the coffee….This is just another step for BIG Brother towards THE ONE WORLD SYSTEM. .
AV
Google is the only one of the major sites would did not turn there search information over to the Government when requested because they cared about the consumer’s confidentiality.
Anybody who does not trust Google, does not know Google. They are the opposite of Microsoft!
Not Google's Fault
“It probably doesn’t help that the news of this is breaking at about the same time as reports that Google accidentally exposed Gmail accounts in Kuwait.”
— It’s not Google’s fault… The ISP was caching the content.
Aaron, of course a prescription insurance management company was covered by HIPAA, you paid for prescriptions, you had access to medical information from doctors and hospitals.
Google doesn’t access the medical information through those same channels, the patients give them the information. If someone walks up to you and hands you their medical records, would that make you a covered entity? Of course not.
Who other than people with some std or doctors give a shit about medical records? Most people could care less if someone finds out they broke their arm in the 3rd grade, had crabs in collage, have high blood pressure, etc. The don’t want insurance companies to know if they are getting new insurance, and maybe banks if they are trying to get a home loan, but guess what both of those groups get the information.
It was doctors that used the AIDS scare as a scare tactic to get HIPAA pushed through, oh, go protest, they are going to discriminate against people with AIDS, so go out and call them all sexists, and embarrass them into passing this very, very bad law, that not only doubled the cost of medical treatment in the us, but exposes the public to bad doctors/medicines for a much longer time before they are discovered. Doctors and hospitals didn’t like that lawyers were mining databases of medical records finding patterns that allowed them to easily detect bad doctors and bad hospitals.
electronic medical records
If you’re anxious about your electronic medical records being secured appropriately, I have terrible news for you. As a physician, I am far more confident that the controls over my electronic data are robust than those over all my paper records. Put on a suit and a bow-tie, grab a stethoscope and walk into any busy ward in your local hospital and start reading patient’s charts. If anyone asks who you are or what you’re doing, let me know. I’d be impressed..
In the past, just how did lawyers mine databases of medical records? There were no databases because medical records were not electronic?
HIPAA was in response to electronic medical records, just like Part 11 was in response to electronic signatures.
Fubar, sure, you could walk in and read patients charts, but it would be hard for a hacker in Serbia to read every chart that way. With electronic records, not so much.
Manage their own?
You really want all those people who’s machines are “owned” to manage their own medical data?
Use a professional. Is that Google? Remains to be seen. Could be, they have an excellent privacy track record so far.
I Fix Medical Equipment
I am a private third party provider of medical equipment repair, and as such I have had to sign HIPAA agreements with the providers of medical services who I serve.
I was also required to give my policy and procedures to one client as part of my contracting, which also included a policy on HIPAA compliance.
Privacy Concerns Unwarranted
If this were a mandatory government project to centralise all your personal information in one database then the outcry would be fully justified. In this case, though, it is a private company providing an entirely voluntary service. It is when non-submission to a database becomes a crime against the state, and not just a company, that we should object.
Ever try to get your Records fixed
Ever tried to get your credit record fixed? Now what if your MEDICAL record at GOOGLE incorrectly reports you as DEAD – how do you get that fixed? What if you (as a guy) have an abortion – due to a records foul up on Google’s record keeping system? You ever try to get someone at Google to FIX any record? Have fun trying – and with your medical record mixed up with someone else next – duhhhh…it was a typo…
PGP/GPG Sign the data, use CD/DVD/Thumbdrive...
Allowing the patient to keep their own records instantly made me think of every portable way of storing data.
I think that would be a great idea, as if you’re traveling and need access to your medical data it’s all right there.
Unfortunately, it’s all right there.
The solution is to use cryptographic tools that are completely open and free. Any GPG is a free (open source) version of the OpenPGP standard. Doctors could sign the portions of the records they create, and the whole thing could be signed encoded to unlock only with the patient’s private key.
Now, keeping the private key secure would be an issue, however if this is occurring within an expanded environment, then the data could be encoded using a symmetric key, which is then it’s self encoded to only be unlocked with the private key. The tool could then provide or remove that one file, thus authorizing access or not.
Another alternative
People is really sensible to the confidentiality of their medical data. It is critical information.
The danger with Google Health and HealthVault is that somebody in the future crack their security systems.
Also the fact about a private company getting data about your health must concern us.
There is an alternative, http://www.keyose.com/, designed by the doctor that described the first case of Wiiitis, its philosophy is based on total anonymous users. A smart mechanism allows the store of clinical record without asking you any personal data (not even your email).
Confidentiality is in such a way assured.
Health Privacy Agreement
Maybe patients can use contract law to enhance the privacy of their health records. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html
i love you
i love you tina!!!!!!!!!!!!1♥
yummy exotic food
yummy pee and poop
poop
i eaqt poop for breckfast everEday
poop
i eaqt poop for breckfast everEday
poop
i eaqt poop for breckfast everEday
HIPAA