Google Health: Maybe not so healthy after all?

Over the past few months, I’ve had some questions from healthcare providers (hospitals mostly) about Google Health.  In case you’re not familiar, Google Health is basically a service where google hosts your medical records for you.

<sarcasm>Pretty cool right?  The company famous for liberating information from the tired restrictions of conventionality now has access to our collective medical histories?  Whoopity-dooda. You think they might have plans to search it for some reason?</sarcasm>

So the wisdom (or not) of a hospital using this aside for the moment, I have to admit that I’m a little confused about their stance from a security perspective.  So Google says:

Some have asked how Google Health relates and compares to the privacy protections for patients under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes privacy standards for patient health information. Unlike a doctor or health plan, Google Health is not regulated by HIPAA because Google does not provide health care services.”

Sigh.  Really, Google?  Really?  They then go on to tell us all not to worry about it because they have the same security and privacy controls as HIPAA.  Interestingly, they consolidate the entirety of the security rule into “reasonable and appropriate safeguards to prevent intentional or unintentional use or disclosure of health information”.  Not sure if they’re looking at the same federal register I am, but I’d recommend that they probably start with 45 CFR Part 160and Subparts A and C of Part 164 – you know: that document where things like data encryption, risk analysis, and access controls are required.   Does Google require any of this?  Guess what: we don’t know.  Why not?  Because apparently the rules don’t apply to them.

What really sizzles my bacon about the whole thing is that Google holds the position that HIPAA doesn’t apply to them – hence they won’t sign things like business associate agreements.  By their same logic, HITECH wouldn’t apply to them either.  But it’s totally bogus  - they are clearly a business associate, even under the most restrictive of interpretations.  How does that conversation go?

Google:  We’re not a business associate because we don’t interact with PHI in any way.  Nope, it’s all you.  No PHI for us – we just host it, maintain it, administrate it, conduct it over our network, index it, sort it, store it, and provide reporting back to you on it.

Why is it that people buy in to this line of reasoning?  Help me to understand why someone would use this service…