Google Health is shutting down in 2012. I wasn't really surprised to hear that. I didn't think it was a concept that was going to have a high adoption rate to begin with. It's one thing for Google to manage your email, photos, instant messages, contacts, videos and track your behaviors. But for Google to know that you just had an organ removed the week before? I'm not too sure that's the type of information that you would want to share with them.
Then again, I'm biased. Working with health insurance companies for a number of years has made me sensitive to handling personal health information (PHI). At Blue Shield of California, we spent a lot of time thinking about PHI and HIPPA compliance and it's impacts - and acknowledging how much it matters to consumers. We frequently hear about hackers breaking into ecommerce and online banking systems, but generally most people aren't too concerned if an online account is hacked because most credit cards are usually protected from fraud and someone won't lose more than $50. But what if someone hacks into your health information? What if you have a life-threatening illness that you want to keep private? What if an employer learns about an illness (such as mental illness) and uses that information against you?
It can happen.
Below are two points Google lists for sharing PHI that I find challenging:
- With contractors and vendors operating solely on Google's behalf (subject to security and confidentiality requirements)
- To protect against imminent harm to the rights, property or safety of Google, its users or the public, or to address fraud or violations of the Terms of Service
What does this mean? Is this marketing information? What if someone has Hepatitis? Does this imply that Google needs to report that? What about reported epidemics? What about other disorders? Will it notify a 3rd party to contact you for more information? Shouldn't this go to a doctor? Where is your doctor in all of this? Reading this doesn't make me feel comfortable about the security of my health information and raises more questions than answers about infomration usage.
Who can access the information
A limited number of employees in particular job functions may have access to user information in order to operate and improve Google Health. Users consent to this limited internal use when they sign up for Google Health.
In health industries, employees and contractors go through quite a bit of training to learn how to protect an individual's PHI. I had to take courses and pass tests about PHI every couple of years to validate that i knew the rules. And I would have to go through more training if I actually worked with PHI. Given everything I had to keep in mind with PHI, I didn't want to work on anything related to it - it was all too much responsibility. But reading the above regrding Google, I'm not sure from this description how much training someone in Google gets around PHI or how that works. And even then, PHI is generally shared with organizations and people to get help and more information about an illness or coverage. Usage stats should be used for improving the site - not PHI. I think here, Google missed the point.
How Information is Kept Secure
This is the HIPPA security mandate:
HIPAA requires that health care providers and other services maintain a minimum standard of "reasonable and appropriate safeguards to prevent intentional or unintentional use or disclosure of health information".
This is the Google Health security mandate:
Google Health secures information by:
- Using electronic security measures such as Secure Socket Layer (SSL) encryption, back-up systems, and other cutting-edge information security technology
- Strongly restricting information access to a limited number of necessary personnel
Companies like Kaiser Permanente and other HMOs will often have networks of information inside a firewall. There is a lot of technology setup to allow PHI to be accessible to doctors inside the network and not to the outside world. Given that SSL is used with ecommerce and online banking - and people can break into this - it doesn't give me a lot of confidence. Sure, SSL is fairly secure, but I'm not sure how I feel about this protecting my health information. I almost feel better keeping my information as hard copy with a doctor and using the fax to transmit it - and this is why that workflow is often used today. There is more at risk with PHI in the wrong hands than your credit card. Again, you can be protected for up to $50 spent through fraud; no one can protect you if someone learns about your health problems and decides to use this against you.
Don't get me wrong, Google Health as a concept is a great idea. It would have been a better idea if it was originated from a health organization rather than an organization that leverages user data and tracks behavior for monetary gain. And people do recognize that Google is about the statistics - so it does make one wonder about their motives. With all of these factors, it does explain why Google Health just never was adopted as it potentially could have been.
What are your thoughts?