Google Wants Your Medical Records

from the well-of-course-they-do dept

While it's been rumored for years, Google is finally revealing a little bit about its Google Health plans, as it's opening up the service to a few thousand patients of the Cleveland Clinic. Those patients will be turning over their medical records to Google which, of course, is raising security and privacy concerns. It probably doesn't help that the news of this is breaking at about the same time as reports that Google accidentally exposed Gmail accounts in Kuwait. Exposing emails is bad enough, but your health records? Obviously, one hopes that Google is doing everything possible to protect the info, but as the AP report points out, Google is not covered by HIPAA (the Health Insurance Portability and Accountability Act,), meaning that even under the best intentions of Google, handing your records over to the company could make them easier for the government or legal adversaries to get at those records, since they've left the bounds of protected communication between a doctor and patient.

Despite all of that, there is something to be said for granting individuals more power to manager their own medical records. Assuming Google could make those records more searchable, more understandable and more useful by putting additional services around them, you could see how that could be valuable. On top of that, one of the benefits of such a service could be to allow medical providers easy access to specific, relevant portions of your medical history. However, Google isn't the only player trying to build such a system (with Microsoft having already announced something similar), and as we discussed about a year ago, perhaps a better solution than a centralized system (which is prone to attack) is to allow individuals to store and manage their own records. While some people may feel comfortable trusting Google to store the records, it seems likely that plenty of others will rather control the data themselves, while still being interested in making use of the value-added features one imagines Google will be providing.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: centralized storage, google health, medical records, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 21 Feb 2008 @ 2:58am

    Better or worse

    Is Google better or worse than the government agencies that lose social security numbers? Is Google better or worse than the credit reporting agencies that lose (or sell) your information?

    I'm not sure what Google's track record is concerning security and privacy. Other corporations have already had spectacular failures in those areas.

    It's difficult to see how Google could do worse. It's easy to see how Google could do much better.

    link to this | view in chronology ]

  • identicon
    Kevin, 21 Feb 2008 @ 3:44am

    HIPAA

    I'm not sure how they think that Google isn't still governed by HIPAA. The article claims that "third parties" aren't subject to HIPAA, but that's not exactly true. Any time that a hospital or doctor's office contracts out a part of their service to a third party there has to be a partnership agreement in place and the third party is also bound by HIPAA regulations. Their only source for the "third parties aren't governed by HIPAA" statement happens to be running the show at the organization who is opposed to the effort. So they might want to take that with a grain of salt and get some third-party verification of that claim.

    link to this | view in chronology ]

    • identicon
      Aaron, 21 Feb 2008 @ 7:01am

      Re: HIPAA

      I worked for a prescription insurance management company a few years back, and HIPPA was a major, major factor in every move the company made, and there were definitely no doctors around. It's obvious that Google would be covered by HIPPA, if not automatically by law, then by their lawyers signing on in order to make the service viable. Who's going to hand over their records to a company that makes no promise of security?

      link to this | view in chronology ]

  • identicon
    Mike F, 21 Feb 2008 @ 4:21am

    Targetted Ads

    If targetted ads appear alongside my medical records, what do I do if they are for funeral services!

    link to this | view in chronology ]

  • identicon
    Haywood, 21 Feb 2008 @ 5:02am

    Why not just put them on a Thumb Drive?

    You could carry them with you, and if they got lost at least you would know when and why.

    link to this | view in chronology ]

  • identicon
    Iron Chef, 21 Feb 2008 @ 5:42am

    I don't know what all this hoopla is about. There have been several major studies published about consolidation of health care information into one central repository. Point is, it's nothing new.

    But overall, I think legacy AT&T was one of the first companies to consider pursuing it.

    link to this | view in chronology ]

  • identicon
    Kappen, 21 Feb 2008 @ 6:15am

    Email leak

    I curious how someone using a ISP that caches content that flows through it is Googles fault? Seems like its either the norm in that country or a crappy ISP. Remember HTTPS://gmail.com does work too.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2008 @ 6:30am

    Google would not be considered a covered entity, thus not covered by HIPAA.

    If the article is correct, the patients give their medical records to Google. If the clinics were to give Google the records, that would be a different story, either the clinic would be in voilation of HIPAA or they would have to ensure that Google was HIPAA compliant. If you give your medical records up, that is your choice, but you can't expect protection from HIPAA.

    link to this | view in chronology ]

  • identicon
    AVERMAN, 21 Feb 2008 @ 6:38am

    Global System

    Wake up people smell the coffee....This is just another step for BIG Brother towards THE ONE WORLD SYSTEM. .
    AV

    link to this | view in chronology ]

  • identicon
    Dan, 21 Feb 2008 @ 7:05am

    Google is the only one of the major sites would did not turn there search information over to the Government when requested because they cared about the consumer's confidentiality.

    Anybody who does not trust Google, does not know Google. They are the opposite of Microsoft!

    link to this | view in chronology ]

  • identicon
    Tom Milewski, 21 Feb 2008 @ 7:06am

    Not Google's Fault

    "It probably doesn't help that the news of this is breaking at about the same time as reports that Google accidentally exposed Gmail accounts in Kuwait."

    -- It's not Google's fault... The ISP was caching the content.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2008 @ 7:06am

    Aaron, of course a prescription insurance management company was covered by HIPAA, you paid for prescriptions, you had access to medical information from doctors and hospitals.

    Google doesn't access the medical information through those same channels, the patients give them the information. If someone walks up to you and hands you their medical records, would that make you a covered entity? Of course not.

    link to this | view in chronology ]

  • identicon
    Steve Jones, 21 Feb 2008 @ 7:24am

    Who other than people with some std or doctors give a shit about medical records? Most people could care less if someone finds out they broke their arm in the 3rd grade, had crabs in collage, have high blood pressure, etc. The don't want insurance companies to know if they are getting new insurance, and maybe banks if they are trying to get a home loan, but guess what both of those groups get the information.

    It was doctors that used the AIDS scare as a scare tactic to get HIPAA pushed through, oh, go protest, they are going to discriminate against people with AIDS, so go out and call them all sexists, and embarrass them into passing this very, very bad law, that not only doubled the cost of medical treatment in the us, but exposes the public to bad doctors/medicines for a much longer time before they are discovered. Doctors and hospitals didn't like that lawyers were mining databases of medical records finding patterns that allowed them to easily detect bad doctors and bad hospitals.

    link to this | view in chronology ]

  • identicon
    fubar, 21 Feb 2008 @ 7:39am

    electronic medical records

    If you're anxious about your electronic medical records being secured appropriately, I have terrible news for you. As a physician, I am far more confident that the controls over my electronic data are robust than those over all my paper records. Put on a suit and a bow-tie, grab a stethoscope and walk into any busy ward in your local hospital and start reading patient's charts. If anyone asks who you are or what you're doing, let me know. I'd be impressed..

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2008 @ 7:40am

    In the past, just how did lawyers mine databases of medical records? There were no databases because medical records were not electronic?

    HIPAA was in response to electronic medical records, just like Part 11 was in response to electronic signatures.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2008 @ 8:02am

    Fubar, sure, you could walk in and read patients charts, but it would be hard for a hacker in Serbia to read every chart that way. With electronic records, not so much.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2008 @ 8:07am

    Manage their own?

    You really want all those people who's machines are "owned" to manage their own medical data?

    Use a professional. Is that Google? Remains to be seen. Could be, they have an excellent privacy track record so far.

    link to this | view in chronology ]

  • identicon
    bobbknight, 21 Feb 2008 @ 8:11am

    I Fix Medical Equipment

    I am a private third party provider of medical equipment repair, and as such I have had to sign HIPAA agreements with the providers of medical services who I serve.
    I was also required to give my policy and procedures to one client as part of my contracting, which also included a policy on HIPAA compliance.

    link to this | view in chronology ]

  • identicon
    Tom Scrace, 21 Feb 2008 @ 8:49am

    Privacy Concerns Unwarranted

    If this were a mandatory government project to centralise all your personal information in one database then the outcry would be fully justified. In this case, though, it is a private company providing an entirely voluntary service. It is when non-submission to a database becomes a crime against the state, and not just a company, that we should object.

    link to this | view in chronology ]

  • identicon
    CPT Moose, 21 Feb 2008 @ 9:31am

    Ever try to get your Records fixed

    Ever tried to get your credit record fixed? Now what if your MEDICAL record at GOOGLE incorrectly reports you as DEAD - how do you get that fixed? What if you (as a guy) have an abortion - due to a records foul up on Google's record keeping system? You ever try to get someone at Google to FIX any record? Have fun trying - and with your medical record mixed up with someone else next - duhhhh...it was a typo...

    link to this | view in chronology ]

  • identicon
    Michael Evans, 22 Feb 2008 @ 4:25am

    PGP/GPG Sign the data, use CD/DVD/Thumbdrive...

    Allowing the patient to keep their own records instantly made me think of every portable way of storing data.

    I think that would be a great idea, as if you're traveling and need access to your medical data it's all right there.

    Unfortunately, it's all right there.


    The solution is to use cryptographic tools that are completely open and free. Any GPG is a free (open source) version of the OpenPGP standard. Doctors could sign the portions of the records they create, and the whole thing could be signed encoded to unlock only with the patient's private key.

    Now, keeping the private key secure would be an issue, however if this is occurring within an expanded environment, then the data could be encoded using a symmetric key, which is then it's self encoded to only be unlocked with the private key. The tool could then provide or remove that one file, thus authorizing access or not.

    link to this | view in chronology ]

  • identicon
    Dr Julio Bonis, 22 Feb 2008 @ 6:52pm

    Another alternative

    People is really sensible to the confidentiality of their medical data. It is critical information.

    The danger with Google Health and HealthVault is that somebody in the future crack their security systems.

    Also the fact about a private company getting data about your health must concern us.

    There is an alternative, http://www.keyose.com/, designed by the doctor that described the first case of Wiiitis, its philosophy is based on total anonymous users. A smart mechanism allows the store of clinical record without asking you any personal data (not even your email).

    Confidentiality is in such a way assured.

    link to this | view in chronology ]

  • identicon
    Benjamin Wright, 25 Feb 2008 @ 6:02am

    Health Privacy Agreement

    Maybe patients can use contract law to enhance the privacy of their health records. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html

    link to this | view in chronology ]

  • identicon
    avery, 17 Nov 2008 @ 1:59pm

    i love you

    i love you tina!!!!!!!!!!!!1♥

    link to this | view in chronology ]

  • identicon
    yasmin, 17 Nov 2008 @ 2:02pm

    yummy exotic food

    yummy pee and poop

    link to this | view in chronology ]

  • identicon
    aavery, 17 Nov 2008 @ 2:05pm

    poop

    i eaqt poop for breckfast everEday

    link to this | view in chronology ]

  • identicon
    aavery, 17 Nov 2008 @ 2:05pm

    poop

    i eaqt poop for breckfast everEday

    link to this | view in chronology ]

  • identicon
    Ivy, 17 Nov 2008 @ 2:05pm

    poop

    i eaqt poop for breckfast everEday

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.