After reading a blog post about House Representative Mary Bono Mack (R-Calif.) and her concerns about Google’s new privacy policy potentially violating HIPAA compliance standards, I’ve concluded that:
After reading a blog post about House Representative Mary Bono Mack (R-Calif.) and her concerns about Google’s new privacy policy potentially violating HIPAA compliance standards, I’ve concluded that:
- Searching for a medical phrase does not make that phrase protected/patient health information (PHI)
- Users that volunteer search phrases and use Google are consenting to their privacy policy
- It’s unfortunate a House Representative does not understand HIPAA
- It’s unfortunate a House Representative does not understand Google or their privacy policy
In an interview with USA Today’s Technology Live blog, Mack used an example in which a user searches for cervical cancer on Google, doesn’t log out, and then is tracked across other products online (?). I assume she means the information they collect will influence the ads shown on Google’s Display Network across other sites you may visit.
Google doesn’t store any actual patient health information, such as the kind that a physician might collect in a clinic. SearchEngineLand.com’s article cites Google’s new privacy policy, stating:
When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.
They also state that they require opt-in consent when it comes to sharing any sensitive personal information. In her interview, Mack also questions the definition of sensitive data, “They are saying that they do not track sensitive data like that. I don’t know who determines what’s sensitive and what’s not. And that’s probably another question on another day and a more extensive hearing.” Perhaps they should go by the Department of Health and Human Services (HHS)’s definition as written in their Summary of the Privacy Rule, as they are the leading government agency:
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”12
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Yale.edu’s HIPAA Guide offers more specific identifiers, including medical record number, account number, certificate/license number, web URL, IP addresses, finger or voice prints, etc.
Ultimately, the question remains, how can the Department of Health and Human Services and our government expect HIPAA compliance from healthcare and related organizations if government representatives appear to be unfamiliar with the standards and equally out of touch with technology and the use thereof? While the acts passed in 2009, I think healthcare organizations, business associates and the lawmakers could all benefit from a more in-depth review of the law.
If you’d like a refresher on HIPAA, our HIPAA FAQ and HIPAA Glossary of Terms could help.
References:
Google’s New Privacy Policy May Violate HIPAA, Congresswoman Says
Google Preview: Privacy Policy
Google Preview: Privacy FAQ
HHS’s Summary of the Privacy Rule
Yale.edu’s Health Insurance Portability and Accountability Act Guide