by Jessica Young and Annie I. Antón
On May 19, 2008, Google launched Google Health , a new Personal Health Record (PHR) web portal that allows patients to gather and organize their medical records while keeping their physicians up to date about their health condition. As with other PHRs, like Microsoft’s HealthVault, Google Health does not appear to be covered by federal or state health privacy laws. According to the Google Health Terms of Service, Google is not a “covered entity” as defined in the Health Insurance Portability and Accountability Act (HIPAA); as such, “HIPAA does not apply to the transmission of health information by Google to any third party” .
Researchers at ThePrivacyPlace.org have evaluated privacy policies and privacy breaches since its founding in 2001. In particular, The Privacy Place researchers are addressing the extent to which information is protected in financial and health care systems that must comply with relevant laws and regulations.
Google Health is not a covered entity as defined in HIPAA. Thus, any personal health data that you submit to Google Health will not be afforded the same legal protections required of health care providers under HIPAA. Until state and federal agencies establish and enforce laws to protect the privacy of personal health records maintained by non-covered entities, individuals should carefully consider the risks involved in submitting sensitive health information to Google Health and other PHRs such as HealthVault. PHRs are not subject to the same privacy and security laws to which traditional medical records are subject to in the United States.
We sent four questions regarding Google Health’s privacy practices via the Google Health Help Center  on May 23, 2008. On June 4, 2008, we submitted the same four questions but this time via Google’s Web Search Help Center , where users are invited to submit questions specifically about Google’s privacy practices. It has been over three weeks since our first inquiry and we have yet to receive a response of any kind to any of our questions. Patients are concerned about the privacy of their health information . A lack of prompt replies to questions regarding health privacy is disconcerting and suggests that privacy is not a priority for those managing Google Health or manning the Google Help Center.
We focused on three questions of Microsoft’s HealthVault in our previous analysis . Here we examine these same three questions within the context of Google Health.
Will your health information be stored in other countries without appropriate legal oversight, skirting many of the protections afforded by the HIPAA?
Will your health care records be merged with other personal information about you that was previously collected within the context of non-health related services?
Are the access controls to your health records based not only on your consent, but also on the principle of least privilege?
 Google Health.
 Google Health Terms of Service, April 28, 2008
 A.I. Antón. Is That Vault Really Protecting Your Privacy?, ThePrivacyPlace.org Blog, October 9, 2007.
 Google Health Help Center Contact Us [Question about privacy] page.
 National Consumer Health Privacy Survey, California Health Care Foundation, 2005.
 Google Health Frequently Asked Questions, no date provided.