Tuesday, May 20, 2008

Google Tentacles Grad Hold of Healthcare

Ars Technica formally announced it's acquisition by Conde Nast, which seems to tilt it more in favor of Ars Technica staying as is, only with deeper pockets. A hint of hiring, too, perhaps...

But the big news today is the public (beta) launch of Google Health, which, you can imagine, has added more fuel to the privacy fire. There are posts from the usual suspects, the Official Google Blog, Tech Crunch, Ars Technica, NYT, Tribune via AP...list goes on. Google Health was being tested by the Cleveland Clinic, and not surprisingly, there was a waiting list for the limited number of open slots for the test. The thinking seems to be that Google has built a strong brand, a trusted brand, so people will flock to the service without giving it a second thought. Those who do stop and think for a second ask: what about HIPPA?

Most people have heard of HIPPA, or the Health Insurance Portability and Accountability Act; it's impossible to see a doctor without signing something about it, but few understand exactly what it does. In a nutshell, it protects your health care information by setting standards for electronic transmission or exchange of data, it protects your health insurance coverage if you find yourself out of work or change jobs and has various other rules, such as privacy, transaction and code sets, etc. You can read a simplified version from Wikipedia, or the whole statute. There is also a section on the HHS Office of Civil Rights website.

HIPPA, you'll notice, is mysteriously, or perhaps purposefully, missing from Google Health. Actually, you can't even access Google Health without a Google Account, which makes sense after you've read the first point of their Privacy Policy:
You control who can access your personal health information. By default, you are the only user who can view and edit your information. If you choose to, you can share your information with others.

So unless you have my login information, you can't access my health information, or any other Google service normally accessed through a Google Account. Makes me feel slightly more secure, but then there is point two:
Google will not sell, rent, or share your information (identified or de-identified) without your explicit consent, except in the limited situations described in the Google Privacy Policy, such as when Google believes it is required to do so by law.

That makes me nervous. Having studied Google's Privacy Policy as part of my grad school education, I'm leary about Google products that store rather personal information. Yes, I use Blogger, I use Gmail, I use Google Docs, but not for anything I consider to be sensitive information. I don't, for example, keep track of my expenses through Google Docs. I don't do more than share and collaborate on documents that have little or no value if my account were to be compromised.

So its privacy policy is a little too open-ended for me. I like how it explicitly states that it will notify users of acquisitions, mergers and the like that may involve the transfer of personal information, but it says nothing about notifying users if the government, or some legal entity requests user information. I also find the wording of the "consent" phrase interesting:
We have your consent. We require opt-in consent for the sharing of any sensitive personal information.

It says "we have your consent" and then says opt-in is required. Not that opt-in is required and therefore, once you have opted-in, you have granted consent. Just the first phrase implies that once you create a Google Account, you have given them consent. How's that for being blunt.

Anyway, back to Google Health. The Privacy Policy for Google Health lists out the ways in which you, the user, control your information. You can delete information, and grant access, which basically means you open the flood gates. Surprise surprise. It expands on this, stating that if a website makes a copy of your information and stores it, then your information is now subject to that website's privacy policy, including HIPPA if the site owners must abide by HIPAA. Sounds as if you might be safer going with those that must abide by HIPPA. And, naturally, Google has its disclaimer about third-parties and not being liable..blah blah blah. I'd be curious to see how well that holds up if a site is infiltrated, and that infiltration leads to the hacking of Google Health. Imagine the treasure trove of information available. Yikes! Only need to think about the banking system to see how one might position oneself into such a situation.

It does seem as if Google Health is positioning itself as nothing more than a platform, but I'd wager this is only the start. It's too early to see what will really happen with Google Health. The privacy issues are expected, but people seem rather willing to trust Google, to a point. And there is something attractive about being able to access your health information from a central location.

And it may stay that way, for awhile, until a breach occurs or something happens that requires legal action but, alas, there is no legal recourse. Some creative lawyering may be needed.

The more I think about it, the more Google seems like the online equivalent of the Walt Disney Corporation: a country unto itself.

No comments: