New From Google: "Google Privacy Disaster Waiting to Happen"
There’s an estimated $1 billion to be had in health-search advertising, and though Google (GOOG) won’t admit it, it’s clear the company has designs on it.
Today the search sovereign announced a pilot program with the Cleveland Clinic that will enable the health-care organization’s patients to store their health records in their Google Accounts. The clinic plans to enroll up to 10,000 patients in the program, which will allow them to securely port their medical records to their Google profiles, where they can be more easily managed and shared with doctors, labs and the like.
Of course, by making such records easier to share with medical providers, Google may be making them easier to “share” with less well-intentioned entities. Health insurance carriers. Potential employers. Online marketers. The government.
Google, too.
As the World Privacy Forum pointed out yesterday, companies like Google are not governed by the Health Insurance Portability and Accountability Act or HIPAA. “Don’t assume your medical records are protected no matter where they are: HIPAA privacy protections generally do not follow the health-care files,” the WPF warned. “HIPAA’s protections generally do not ‘travel’ with or follow a medical record that is disclosed to a third party outside the health-care treatment and payment system. … After you have disclosed your health care information to a PHR (Personal Health Records) outside the privacy protections of the health care system (HIPAA), your information can be used or redisclosed by the PHR in ways that would not be permitted for the same information if held by your doctor or health plan. Depending on the applicable privacy policy, health records outside of HIPAA can potentially be bought and sold, shared with merchants, and even disclosed to employers.”