Google Health Launches
Having concluded its testing at the Cleveland Clinic, Google Health launched amid privacy concerns last week. Commentators are concerned that Google is not currently regulated under the Department of Health and Human Services (“DHHS”) and Google’s claim that it is regulated by the Federal Trade Commission does not appear to appease them. Nevertheless, Google Health appears to have a solid approach to both storing health care data online and finding information about health issues with Google Health.
Commentators have at least two privacy concerns with Google Health. First, anyone with a Google username may instantly and easily sign onto Google Health. While Google requires that passwords be at least 8 characters long, it does not require that the passwords contain numbers, upper and lower case characters, and special characters—which would help create strong passwords. Considering that only a minority of users will create strong passwords when not required to do so, access to a user’s health information on Google health is only as good as the password the user creates—assuming that Google’s systems are secure. However, both Microsoft and Google suffer from this same problem.
Second, Google (rightly) claims that it is not bound by Health Insurance Portability and Accountability Act (“HIPAA”). The regulations under 45 CFR part 160.102 state that the Act applies to a) health plans, b) health care providers who transmit any health information in electronic form in connection with a covered transaction, or c) health care clearinghouses. A health plan is an individual or group that provides or pays the cost of medical care. Medical care includes diagnoses, cures, treatments, and transportation related to medical care, but not storage or transfer of information. A health care provider is a provider of medical or health services and any other person or organization that is paid for health care in the normal course of business. While medical services are defined ad nauseum in the regulations, none of those services relate to storage of healthcare information as a service.
A health care clearinghouse is an entity that processes or facilitates the processing of health care information from a nonstandard format (or data) to a standard format (or data), or vice versa. In promulgating the final rules on HIPAA, the DHHS stated that the definition was not meant to apply to telecommunication companies such as internet service providers or telephone companies, so long as they did not process the data in the fashion required. Therefore, processing of information coming from one entity and going to another entity appears to be at the heart of the regulations. Google does not process the data. It only makes it available to both the patient and the health care professional—presumably in the format it is provided. On the other hand, any manipulation of this data from standard to nonstandard format would trigger the regulations under HIPAA. In sum, Google Health currently resides in that gray area between explicitly exempt entities and nonexempt entities.
Nevertheless, Google’s interpretation of the current regulations is in line with DHHS’ Office for Civil Rights (“OCR”), which is in charge of the civil enforcement of the Privacy Rule under HIPAA. Susan McAndrew, senior advisor for the OCR, has stated in unofficial discussions that Google Health and Microsoft HealthVault are exempt from HIPAA rules, but that the Confidentiality, Privacy, and Security Workgroup of the American Health Information Community is in the process of making recommendations to regulate them under HIPAA. In regulating electronic health information exchange networks such as Google and Microsoft, the Workgroup has already identified six factors ranging from prevention of unauthorized access of the health care data to the purposes for which the health care data can be used. However, it will probably be years before such regulations take effect.
Yet, Google does not claim that it is exempt from regulation for its privacy policies. On the contrary, Google agrees that it is subject to section 5 of the Federal Trade Commission (“FTC”) Act. While the OCR responds to thousands of complaints every year, the FTC’s settlements are more public and its punishments are probably more severe. So far this year, the FTC settled with 5 companies for breach of privacy policies, including retailer TJ Maxx, publisher Reed Elsevier, and online advertiser ValueClick. Almost all FTC settlements include biennial security audits by independent third parties for 10 or 20 years following the settlement. Some include civil penalties. In 2006, the FTC settled with ChoicePoint for $10 million in civil penalties and $5 million in consumer redress. Such settlements tend to affect a company’s stock prices in the short run and hurt their brand images. Google is certainly aware of the consequences of a security breach at Google Health.
Google has a healthy competitor to Microsoft’s HealthVault in Google Health. However, both business models appear to be ahead of the legal regulations in this area of health privacy. Moving health records online will certainly benefit patients, healthcare providers, and companies such as Google and Microsoft—so long as all the parties involved understand and fulfill their responsibilities.