http://www.google.com/intl/en_us/health/about/index.html

 

Google Health is shutting down in 2012. I wasn't really surprised to hear that. I didn't think it was a concept that was going to have a high adoption rate to begin with. It's one thing for Google to manage your email, photos, instant messages, contacts, videos and track your behaviors. But for Google to know that you just had an organ removed the week before? I'm not too sure that's the type of information that you would want to share with them.

Then again, I'm biased. Working with health insurance companies for a number of years has made me sensitive to handling personal health information (PHI). At Blue Shield of California, we spent a lot of time thinking about PHI and HIPPA compliance and it's impacts – and acknowledging how much it matters to consumers. We frequently hear about hackers breaking into ecommerce and online banking systems, but generally most people aren't too concerned if an online account is hacked because most credit cards are usually protected from fraud and someone won't lose more than $50. But what if someone hacks into your health information? What if you have a life-threatening illness that you want to keep private? What if an employer learns about an illness (such as mental illness) and uses that information against you?

It can happen.

I took a look at Google's Health privacy policy and it's comparison to HIPPA compliance to get more facts as to what was being offered before I just dismissed Google Health as a generally bad idea. You can read it for yourself here. I found this chart to be a little disturbing overall. And here's why:

 

Google created a specialized privacy policy rather than leveraging existing HIPPA policies enforced by the Department of Health and Human Services

Google created a special privacy policy for Google Health. Most people in the US know what HIPPA compliance means and how it works. There are a lot of safeguards in place to protect people and information sharing of PHI. Sure, HIPPA can be a pain in the butt, but it does prevent the wrong people from getting information if you are unconscious. The benefit of HIPPA is that the Department of Health and Human Services enforces its own privacy protections through civil and criminal penalties; Google privacy policy is covered only under the Federal Trade Commission. Do you believe that a PHI breech will be handled properly if prosecuted through the FTC (the same organization that deals with consumer protection and anti-trust violations)? I didn't think so either. 

 

Information sharing

Below are two points Google lists for sharing PHI that I find challenging:

• With contractors and vendors operating solely on Google's behalf (subject to security and confidentiality requirements)
• To protect against imminent harm to the rights, property or safety of Google, its users or the public, or to address fraud or violations of the Terms of Service

What does this mean? Is this marketing information? What if someone has Hepatitis? Does this imply that Google needs to report that? What about reported epidemics? What about other disorders? Will it notify a 3rd party to contact you for more information? Shouldn't this go to a doctor? Where is your doctor in all of this? Reading this doesn't make me feel comfortable about the security of my health information and raises more questions than answers about infomration usage.

 

Who can access the information

A limited number of employees in particular job functions may have access to user information in order to operate and improve Google Health. Users consent to this limited internal use when they sign up for Google Health.

In health industries, employees and contractors go through quite a bit of training to learn how to protect an individual's PHI. I had to take courses and pass tests about PHI every couple of years to validate that i knew the rules. And I would have to go through more training if I actually worked with PHI. Given everything I had to keep in mind with PHI, I didn't want to work on anything related to it – it was all too much responsibility. But reading the above regrding Google, I'm not sure from this description how much training someone in Google gets around PHI or how that works. And even then, PHI is generally shared with organizations and people to get help and more information about an illness or coverage. Usage stats should be used for improving the site – not PHI. I think here, Google missed the point.

 

How Information is Kept Secure

This is the HIPPA security mandate:

HIPAA requires that health care providers and other services maintain a minimum standard of "reasonable and appropriate safeguards to prevent intentional or unintentional use or disclosure of health information".

This is the Google Health security mandate:

Google Health secures information by:

• Using electronic security measures such as Secure Socket Layer (SSL) encryption, back-up systems, and other cutting-edge information security technology
• Strongly restricting information access to a limited number of necessary personnel

Companies like Kaiser Permanente and other HMOs will often have networks of information inside a firewall. There is a lot of technology setup to allow PHI to be accessible to doctors inside the network and not to the outside world. Given that SSL is used with ecommerce and online banking – and people can break into this – it doesn't give me a lot of confidence. Sure, SSL is fairly secure, but I'm not sure how I feel about this protecting my health information. I almost feel better keeping my information as hard copy with a doctor and using the fax to transmit it – and this is why that workflow is often used today. There is more at risk with PHI in the wrong hands than your credit card. Again, you can be protected for up to $50 spent through fraud; no one can protect you if someone learns about your health problems and decides to use this against you.

 

Don't get me wrong, Google Health as a concept is a great idea. It would have been a better idea if it was originated from a health organization rather than an organization that leverages user data and tracks behavior for monetary gain. And people do recognize that Google is about the statistics – so it does make one wonder about their motives. With all of these factors, it does explain why Google Health just never was adopted as it potentially could have been.

What are your thoughts?