Those aren’t my words. That’s from the title to a post by John Paczkowski on the Wall Street Journal’s All Things Digital blog. In regard to Google’s new pilot program with the Cleveland Clinic to store patients’ health records, he writes:
Of course, by making such records easier to share with medical providers,
Google may be making them easier to “share” with less well-intentioned
entities. Health insurance carriers. Potential employers. Online
marketers. The government.
As the World Privacy Forum pointed out yesterday, companies like
Google are not governed by the Health Insurance Portability and
Accountability Act or HIPAA. “Don’t assume your medical records are
protected no matter where they are: HIPAA privacy protections generally
do not follow the health-care files,” the WPF warned.
“HIPAA’s protections generally do not ‘travel’ with or follow a medical
record that is disclosed to a third party outside the health-care
treatment and payment system. … After you have disclosed your health
care information to a PHR (Personal Health Records) outside the privacy
protections of the health care system (HIPAA), your information can be
used or redisclosed by the PHR in ways that would not be permitted for
the same information if held by your doctor or health plan. Depending
potentially be bought and sold, shared with merchants, and even
disclosed to employers.”
Link: New from Google: "Google Privacy Disaster Waiting to Happen"
Update: Lots of interesting discussion on this: see Michael Zimmer, Fred Stutzman. Michael Zimmer has also been discussing privacy concerns with Microsoft about their similar efforts: More designing for privacy: Microsoft HealthVault.