HIPAA Compliance Concerns with Google

February 9, 2012
92 Views

After reading a blog post about House Representative Mary Bono Mack (R-Calif.) and her concerns about Google’s new privacy policy potentially violating HIPAA compliance standards, I’ve concluded that:

After reading a blog post about House Representative Mary Bono Mack (R-Calif.) and her concerns about Google’s new privacy policy potentially violating HIPAA compliance standards, I’ve concluded that:

  • Searching for a medical phrase does not make that phrase protected/patient health information (PHI)
  • Users that volunteer search phrases and use Google are consenting to their privacy policy
  • It’s unfortunate a House Representative does not understand HIPAA
  • It’s unfortunate a House Representative does not understand Google or their privacy policy

In an interview with USA Today’s Technology Live blog, Mack used an example in which a user searches for cervical cancer on Google, doesn’t log out, and then is tracked across other products online (?). I assume she means the information they collect will influence the ads shown on Google’s Display Network across other sites you may visit.

Google doesn’t store any actual patient health information, such as the kind that a physician might collect in a clinic. SearchEngineLand.com’s article cites Google’s new privacy policy, stating:

When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.

They also state that they require opt-in consent when it comes to sharing any sensitive personal information. In her interview, Mack also questions the definition of sensitive data, “They are saying that they do not track sensitive data like that. I don’t know who determines what’s sensitive and what’s not. And that’s probably another question on another day and a more extensive hearing.” Perhaps they should go by the Department of Health and Human Services (HHS)’s definition as written in their Summary of the Privacy Rule, as they are the leading government agency:

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”12

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Yale.edu’s HIPAA Guide offers more specific identifiers, including medical record number, account number, certificate/license number, web URL, IP addresses, finger or voice prints, etc.

Ultimately, the question remains, how can the Department of Health and Human Services and our government expect HIPAA compliance from healthcare and related organizations if government representatives appear to be unfamiliar with the standards and equally out of touch with technology and the use thereof? While the acts passed in 2009, I think healthcare organizations, business associates and the lawmakers could all benefit from a more in-depth review of the law.

If you’d like a refresher on HIPAA, our HIPAA FAQ and HIPAA Glossary of Terms could help.

References:
Google’s New Privacy Policy May Violate HIPAA, Congresswoman Says
Google Preview: Privacy Policy
Google Preview: Privacy FAQ
HHS’s Summary of the Privacy Rule
Yale.edu’s Health Insurance Portability and Accountability Act Guide

  

You may be interested

Where Is The Balance? Pushing Back Against Consumer Health Tech
eHealth
3 views
eHealth
3 views

Where Is The Balance? Pushing Back Against Consumer Health Tech

Larry Alton - August 18, 2017

When Republican Congressman Jason Chaffetz glibly remarked that Americans struggling to afford insurance should choose between that and their smartphones,…

What to Look for in Patient Solutions Software
eHealth
365 views
eHealth
365 views

What to Look for in Patient Solutions Software

Robert Cordray - August 17, 2017

The medical sector is one area where technology has had a significant impact, largely by providing tools that simplify many…

Can Natural Remedies Like RediCalm Decrease Stress and Anxiety?
Wellness
2 views
Wellness
2 views

Can Natural Remedies Like RediCalm Decrease Stress and Anxiety?

Ryan Kh - August 16, 2017

According to research from the National Institute of Mental Health, anxiety disorders are the most common mental illness in the…