Let’s face it, I haven’t actually been nice to Google of late when it comes to healthcare (or maybe I have, just once). While I believe the criticisms are justified, I can see why some people might think I’m beating a dead horse, namely Google Health. But there are some unresolved questions in the area of privacy that Google really should answer.
Google’s ill-fated attempt at a PHR isn’t completely dead. The company won’t “retire” the online service until January, and will allow users to download their data through Jan. 1, 2013. Naturally, others have stepped up to try to fill the (tiny) void left by Google Health’s demise. To nobody’s surprise, Microsoft is helping the remarkably small number of Google Health users transition their accounts to HealthVault, Microsoft’s own overly hyped, underutilized PHR platform.
What concerns me is what will happen to data already on Google’s servers. Will records be archived? Will sensitive patient health data stay on Google’s servers in perpetuity? Nobody has said for sure.
Are records safe from Google’s data-mining juggernaut? Google has consistently said that it would not use health records for anything other than to steer traffic to its core search engine, but let’s face it, Google’s primary source of revenue is from algorithm-driven advertising.
But, you say, HIPAA protects patients from unauthorized uses of their data, right? Well, remember back to 2009, when the American Recovery and Reinvestment Act expressly made third-party data repositories, health information networks and, yes, personal health records, into HIPAA business associates, effectively holding them to the same rules as covered entities under HIPAA.
Wouldn’t you know, both Google and Microsoft came out and said they were not subject to this provision. No less an insider than former national health IT coordinator Dr. David Brailer, who was a part of the legislative negotiations, told me then that lawmakers had Google Health and HealthVault specifically in mind when they crafted the ARRA language. As far as I know, there haven’t been any reported data breaches involving either PHR platform, so there’s been no need to test whether ARRA actually does apply to them, but if I had my data on Google’s or Microsoft’s servers, I’d be concerned. I’d particularly want to know what Google plans on doing with the data it’s been holding once Google Health does shut down.
Perhaps it’s time for me to make some phone calls.