Google’s New Privacy Policy May Violate HIPAA, Congresswoman Says

Several members of Congress continued to express reservations about Google’s new privacy policy after a closed-door meeting on Thursday, with one House member saying that Google’s handling of sensitive medical searches may violate HIPAA, the Health Insurance Portability and Accountability Act.

Members of the House Energy and Commerce committee grilled Pablo Chavez, Google’s director of public policy, and Google attorney Michael Yang for about two hours. After the meeting, several of the Representatives expressed their unhappiness with Google’s answers on a variety of privacy issues — questions brought on by Google’s recent announcement that it will combine all of its privacy policies into one, which will allow the company to share user information across its services.

That last point, according to Representative Mary Bono Mack, may leave Google in violation of HIPAA, a law that protects how personal health information may be shared. Bono Mack explained her concerns to USA Today:

“…say you do a Google search for cervical cancer and you forget to sign out. Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.”

Bono Mack is suggesting that Google might be violating HIPAA if it remembers the “cervical cancer” search after the user moves on from search to another Google product, like Gmail or YouTube (or any other).

But is Google actually compelled to follow the HIPAA requirements? According to the Health & Human Services website, the law applies to groups that meet the definition of a “covered entity” — health care providers (like doctors and nurses), health plans (like insurance companies and HMOs) and health care clearinghouses.

Google is certainly not a health care provider or a health plan, but is it a clearinghouse? My non-expert reading of the definition suggests the answer is “no.”

Google has been involved in health information via its Google Health product, but that just shut down on January 1st. Even when it was active, Google said it wasn’t bound by HIPAA. Here’s the opening sentence of the old/current Google Health privacy policy:

Unlike a doctor or health plan, Google Health is not regulated by the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes data confidentiality standards for patient health information.

Furthermore, Google’s new privacy policy, which takes effect on March 1st, includes language that seems to say ads won’t be personalized based on health-related activity:

When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.

Bono Mack tells USA Today that there will be more Congressional hearings about online privacy and that she “pressed” Google to be there. But, based on my non-expert reading of the law, the HIPAA angle may not get very far in those hearings.

We’ve been covering the non-search elements of Google’s new privacy policy on our sister site, Marketing Land. See below for several related articles offering background and other angles.

Related EntriesNo, You Don’t Need To Fear The Google Privacy Changes: A Reality CheckGoogle “Myth Busts” Microsoft’s Privacy ClaimsMicrosoft Slams Google Privacy Changes With “Putting People First” Ad CampaignGoogle Tells Congress: Users Can Opt-Out Of New Privacy Policy By Not Logging InHouse Committee Has Privacy Questions For Google; Google Says Bring It OnGoogle’s New Terms Of Service & Privacy Policy: Anything You Do May Be Used To Target You?(Stock image via Shutterstock.com. Used under license.)

No comments:

Post a Comment