Those aren't my words. That's from the title to a post by John Paczkowski on the Wall Street Journal's All Things Digital blog. In regard to Google's new pilot program with the Cleveland Clinic to store patients' health records, he writes:
Of course, by making such records easier to share with medical providers, Google may be making them easier to “share” with less well-intentioned entities. Health insurance carriers. Potential employers. Online marketers. The government.
Google, too.
As the World Privacy Forum pointed out yesterday, companies like Google are not governed by the Health Insurance Portability and Accountability Act or HIPAA. “Don’t assume your medical records are protected no matter where they are: HIPAA privacy protections generally do not follow the health-care files,” the WPF warned. “HIPAA’s protections generally do not ‘travel’ with or follow a medical record that is disclosed to a third party outside the health-care treatment and payment system. … After you have disclosed your health care information to a PHR (Personal Health Records) outside the privacy protections of the health care system (HIPAA), your information can be used or redisclosed by the PHR in ways that would not be permitted for the same information if held by your doctor or health plan. Depending on the applicable privacy policy, health records outside of HIPAA can potentially be bought and sold, shared with merchants, and even disclosed to employers.”
Link: New from Google: "Google Privacy Disaster Waiting to Happen"
Update: Lots of interesting discussion on this: see Michael Zimmer, Fred Stutzman. Michael Zimmer has also been discussing privacy concerns with Microsoft about their similar efforts: More designing for privacy: Microsoft HealthVault.
Kevin: The World Privacy Forum overstates the problem. Privacy law is more flexible than WPF lets on. For example, to address the privacy fears associated with Google health records, patients might post legal terms and conditions in their records. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html
Posted by: Benjamin Wright | Friday, February 29, 2008 at 12:20 PM
Benjamin -- thanks for the comment. That's an interesting idea and I hadn't heard it before.
My immediate concern with it is that it requires individual users to be sophisticated and it puts the burden on them rather than the companies providing the service. Why should everyone have to learn and remember this and know how to do it properly? Maybe this is a good temporary measure for informed users, but we really shouldn't have to take care of this ourselves -- proper privacy protection should be built into the system by default.
Posted by: Kevin Arthur | Friday, February 29, 2008 at 01:40 PM