Trust Google. Google is your friend. Now move along, citizen.

The Deep End Blog over at InfoWorld had an interesting post yesterday about whether or not Google’s cloud services are more worthy of trust than other providers.  The author points out the tremendously invasive information that Google has about us and then goes on to ask several very pointed questions about whether they are appropriate stewards of that information or not.  All interesting stuff.

Now, I don’t consider myself an overly paranoid kind of guy (OK, well maybe just a little bit), but Google’s cloud offerings concern me too.   But it’s not because they keep meticulous records on what you search for, because they track where you go, or even because they’ve already gotten in trouble for snooping on wireless networks as they populate street view.

Sure, all that stuff is disconcerting.  But what really concerns me is Google Health.  Have you seen this service?  It lets you consolidate your medical records all in one place.  Mmmmm… Medical records.  All conveniently located in one place.  Not something I’d use, but if someone wants to opt-in, I suppose that’s their business.

But what I find very unwholesome about this service is what an individual is opting into when they decide to share their medical records with Google.  You see, doctors and hospitals have privacy and security requirements under the law – governing laws like HIPAA and HITECH spell out very clearly bare minimum security requirements that “covered entities” must employ to safeguard the data.  So a doctor just can’t look at any record they want or send medical records to whomever they want (well, they could I suppose, but they’ll go to jail for it.)  The requirements aren’t perfect and lord knows enforcement isn’t either – but it’s something at least.

Google claims flat-out that HIPAA security and privacy requirements don’t apply to them:

Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (“HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

So no mandatory security requirements for you.  And because the aren’t signing business associate agreements with the healthcare providers they’re partnering with, it’s arguable the extent they believe HITECH to apply (since HITECH carries over privacy and security requirements to business associates).  Yes… Apparently much like the bad guys in a Knight Rider episode, they believe that they operate above the law.

In theory, I get what Google is saying.  It’s voluntary for a patient to sign up for this.  Nobody’s holding a gun to their head and making them use it.  And if Google says outright they choose not to meet the bare minimum provisions of HIPAA security, maybe it’s OK for the patient to decide for themselves if that’s acceptable or not.  After all, if a consenting patient decides to take a diagnostic image (like an X-Ray or whatever) – or a copy of their chart – and tape it to a public notice board, that would be their prerogative, right?

But what’s creepy about the Google service is that (unlike the patient who posts their record to the bulletin board), a patient might not understand that they’re doing the equivalent when they decide to store their information in Google’s system.  OK, so they need to agree to the terms of service where it’s spelled out pretty clearly.  But how many people are reading through that with a microscope before making a decision?

Mark my words: this thing is going to end badly for somebody. Either they’ll get sued or some gaffe will wind up in the press.   Maybe some Google employee will do the stuff that hospital employees get fired for: looking at neighbors’ records,  family members’ records, or VIP (famous people) records.  Maybe because they’re not auditing access  (like they’d be required to under HIPAA), it’ll go on longer than would otherwise be the case.  Or maybe they’ll sell bulk identifiable diagnostic information to a marketer.     Either way, not good for anybody.