Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Friday, April 11, 2008

Google Health Starts Pilot at the Cleveland Clinic

By Dino Tsibouris & Mehmet Munur

On February 21, 2008, Google announced a partnership with the Cleveland Clinic to test its online personal health records management platform called Google Health. While Google is late to bring its platform to the party, its offering appears to go beyond Microsoft’s HealthVault offering. The goal of the project is “to give the patients the ability to interact with multiple physicians, healthcare service providers and pharmacies.” The pilot project will test the secure exchange of patient medical records.

Google claims that its offering is different than other online personal health records in four ways. First, Google developed its privacy policies using Google Health Advisory Council, made up of leaders in the healthcare industry—from CEOs of the Cleveland Clinic and the American Medical Association to the Executive Vice President of Risk Management at Wal-Mart. Second, Google Health is a platform and not just a website. This allows third party application developers to create programs for use on its application programming interface or API. For example, such third party applications may include reminders to take prescription medicine on personalized Google homepages. Third, storage of medical data on Google’s servers allows for portability. Lastly, Google Health will have a user focus through which users can easily manage their healthcare information or find health information about their health conditions. The service will allow users to find relevant and dynamically generated news, web search results, research articles, and discussion groups.

The Cleveland Clinic pilot project is supposed to last six to eight weeks and the platform is to become public some time after that. For this reason, no terms of use are available from Google to judge its commitment to privacy. Yet, Google appears to have changed its privacy policies in a positive way. First, Google changed its 30 year expiration period for its cookies to two years—but included automatic renewal.

Second, Google was the first major search engine to anonymize its server logs after 18 months instead of an 18 to 24 month period. Google deletes the last few digits of the IP address as well as some portion of the cookie information to anonymize the information contained these logs. According to Peter Fleischer, Google’s Global Privacy Counsel, Microsoft and Yahoo later followed this practice with 18 and 13 month retention plans, respectively. However, Google continues to retain these logs for as long as necessary. Third, Google has started offering videos through its YouTube Google Privacy Channel to explain its privacy policies without legalese and geek-speak.

All of these changes at Google appear to point towards Google’s corporate responsibility for privacy within its business framework of “creating[ing] [a] minimum global standard, built around international consensus, that is flexible, technologically neutral, and forward looking.” Obviously, creating such a framework would be beneficial for Google’s business as it would make compliance much easier. Yet, cultural and legal differences are likely to make this goal hard to achieve.

On the other hand, Google must have a business purpose for entering the health records management field. After Google CEO Eric Schmidt’s keynote speech at the HIMSS, a doctor asked what was in it for Google. He answered that there was not a “monetization path” for Google Health in the short term. However, he suggested that Google was able to create brand following through other services even though those ancillary services were not supported by advertisements—such as Google News. It appears that Google would like to inspire confidence in its service first and then create revenue through contextual advertisements if users explicitly consent. It is at this juncture that privacy advocates would have the most difficulty with Google Health.

Eric Schmidt suggested that this service Google Health Starts Pilot Project at the Cleveland Clinic

On February 21, 2008, Google announced a partnership with the Cleveland Clinic to test its online personal health records management platform called Google Health. While Google is late to bring its platform to the party, its offering appears to go beyond Microsoft’s HealthVault offering. The goal of the project is “to give the patients the ability to interact with multiple physicians, healthcare service providers and pharmacies.” The pilot project will test the secure exchange of patient medical records.

Google claims that its offering is different than other online personal health records in four ways. First, Google developed its privacy policies using Google Health Advisory Council, made up of leaders in the healthcare industry—from CEOs of the Cleveland Clinic and the American Medical Association to the Executive Vice President of Risk Management at Wal-Mart. Second, Google Health is a platform and not just a website. This allows third party application developers to create programs for use on its application programming interface or API. For example, such third party applications may include reminders to take prescription medicine on personalized Google homepages. Third, storage of medical data on Google’s servers allows for portability. Lastly, Google Health will have a user focus through which users can easily manage their healthcare information or find health information about their health conditions. The service will allow users to find relevant and dynamically generated news, web search results, research articles, and discussion groups.

The Cleveland Clinic pilot project is supposed to last six to eight weeks and the platform is to become public some time after that. For this reason, no terms of use are available from Google to judge its commitment to privacy. Yet, Google appears to have changed its privacy policies in a positive way. First, Google changed its 30 year expiration period for its cookies to two years—but included automatic renewal.

Second, Google was the first major search engine to anonymize its server logs after 18 months instead of an 18 to 24 month period. Google deletes the last few digits of the IP address as well as some portion of the cookie information to anonymize the information contained these logs. According to Peter Fleischer, Google’s Global Privacy Counsel, Microsoft and Yahoo later followed this practice with 18 and 13 month retention plans, respectively. However, Google continues to retain these logs for as long as necessary. Third, Google has started offering videos through its YouTube Google Privacy Channel to explain its privacy policies without legalese and geek-speak.

All of these changes at Google appear to point towards Google’s corporate responsibility for privacy within its business framework of “creating[ing] [a] minimum global standard, built around international consensus, that is flexible, technologically neutral, and forward looking.” Obviously, creating such a framework would be beneficial for Google’s business as it would make compliance much easier. Yet, cultural and legal differences are likely to make this goal hard to achieve.

On the other hand, Google must have a business purpose for entering the health records management field. After Google CEO Eric Schmidt’s keynote speech at the HIMSS, a doctor asked what was in it for Google. He answered that there was not a “monetization path” for Google Health in the short term. However, he suggested that Google was able to create brand following through other services even though those ancillary services were not supported by advertisements—such as Google News. It appears that Google would like to inspire confidence in its service first and then create revenue through contextual advertisements if users explicitly consent. It is at this juncture that privacy advocates would have the most difficulty with Google Health.

Eric Schmidt suggested that this service was unlikely to take off or reach market saturation in a short time but that in the long run it makes sense because such a large part of online searches involve health topics. Google Health and Microsoft HealthVault appear to be steps in the right direction; however, it remains to be seen how these services will affect individual privacy and how corporations and legislators will respond to those concerns.

You can find a blog post and screens from Google Health at the Official Google Blog here. You can find Eric Schmidt’s keynote speech at the Healthcare Information and Management Systems Society Annual Conference in Orlando on February 28, 2008 here.was unlikely to take off or reach market saturation in a short time but that in the long run it makes sense because such a large part of online searches involve health topics. Google Health and Microsoft HealthVault appear to be steps in the right direction; however, it remains to be seen how these services will affect individual privacy and how corporations and legislators will respond to those concerns.

You can find a blog post and screens from Google Health at the Official Google Blog here. You can find Eric Schmidt’s keynote speech at the Healthcare Information and Management Systems Society Annual Conference in Orlando on February 28, 2008 here.

Read More...