Google Health: Are You Feeling Lucky?

Do you trust Google enough to give it your medical records?

That's precisely what the search juggernaut is asking users to do with today's introduction of Google Health.

The service is designed to allow consumers to keep all of their health records stored, indexed, and easily searchable on Google's servers. Company executives stressed the privacy features of the service.

"The information in your health record is yours and it doesn't get shared with anyone else without your permission," Google chief executive Eric Schmidt said.

Well, not quite Eric.

According to the Google Health FAQ:

We will not share your health data with individuals or third parties unless you explicitly tell us to do so or except in certain limited circumstances described in our privacy policy.

What circumstances would those be? To wit:

We provide such information to our subsidiaries, affiliated companies, or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures.

In other words, it's not enough to just trust Google. You have to trust that Google's "subsidiaries, affiliated companies, or other trusted businesses or persons."

But wait, there's more. Google can share your information without your consent if:

We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law.

In other words, Google can fork over your data if the cops or anyone else come calling with a subpoena (or whatever else the Patriot Act allows for these days).

We're not done yet. Buried in the Google Health Terms of Service, the company makes the following disclosure:

Google is not a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder ("HIPAA"). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

That means Hipaa sections that relate to privacy and data security do not bind Google. Specifically, Google isn't covered by the law's privacy rule, which requires an "individual's written authorization" before disclosing health information to a third party.

Given that fact, and the other "circumstances" Google describes which would allow it to share health data without consent, if you do decide to turn your health data over to Google, you should ask yourself the following question:

Are you feeling lucky?

by Sam Gustin