Google Health Privacy: All Talk, No Teeth?
Google Health and its supporters talk a good game about the lengths the service goes in protecting the privacy of users' health records -- all necessary because the main federal patient-privacy law, the Health Insurance Portability and Accountability Act (HIPAA), doesn't apply to online health services of this sort.
Google, for instance, put together a straightforward chart comparing HIPAA-mandated protections to its own efforts, which -- surprise, surprise -- suggests that users are better off trusting the company than their own doctors. Similarly, John Halamka, the CIO of both Harvard Medical School and Beth Israel Deaconess Hospital and an advisor to Google Health, writes in his blog (in comments) that Google's privacy policy "is as strong or stronger than HIPAA."
Of course, that would be terrific if true -- but a closer look at Google's arguments and the terms of service for Google Health suggests that it's not even close. Corporate privacy policies are little more than promises without robust accountability and enforcement mechanisms, and it's there that Google has been careful to limit its exposure to serious consequences should it somehow fail to uphold its own standards.
Start with that Google chart, which, on paper -- OK, on screen -- does suggest that Google's policy has the edge over HIPAA in terms of users' ability to see who has access to their data and to withhold it from third parties, even in "deidentified" form. The last line, however, is potentially the most important. There Google notes that HIPAA violations are overseen by the Department of Health and Human Services, which frequently works with the Justice Department and has a reputation as a pretty fearsome regulatory enforcer -- ask anyone accused of Medicare fraud. Google's own privacy policy, by contrast, is safeguarded by the often-toothless Federal Trade Commission and state attorneys general, who are a decidedly mixed bag in terms of the vigor with which they pursue consumer-protection cases.
More to the point, Google has taken additional steps that not only limit its liability in the event of privacy breaches, but which formally require users to indemnify the company and to defend it should legal problems arise. The key passage in the Google Health terms of service is this:
10. IndemnificationRead literally, this would suggest that even a civil case brought by the FTC or, say, the California AG would end up in the lap of any users who felt they'd suffered harm through a privacy breach at Google Health or any of its partners. I'm no lawyer, so it's entirely possible that there's less to this provision than I'm allowing here. But this clause struck me as unusual the first time I saw it, and it grows more ominous the longer I look it over.
You will defend or settle any third-party claim against Google, any third party Google Health feature providers, or any of Google's other licensors arising out of or related to your use of Google Health.
Google's self-protection doesn't end there:
12. Limitation of LiabilityThe wording here suggests two things. First, by limiting damages to "direct damages," Google appears to be saying that it and its partners can only be held liable for the direct consequences of any personal-data disclosure. Since the major concern about having your health information disclosed -- the fear of huge medical bills should you lose or become ineligible for health insurance -- is essentially indirect, this looks a lot like a get-out-of-jail-free card for Google Health. Again, this is by a common-sense definition; the actual legal standard may vary.
NEITHER YOU NOR GOOGLE OR ANY OF ITS LICENSORS MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR ANY DAMAGES OTHER THAN DIRECT DAMAGES, EVEN IF THE PARTY KNOWS OR SHOULD KNOW THAT OTHER DAMAGES ARE POSSIBLE OR THAT DIRECT DAMAGES ARE NOT A SATISFACTORY REMEDY. THE LIMITATIONS IN THIS SECTION APPLY TO YOU ONLY TO THE EXTENT THEY ARE LAWFUL IN YOUR JURISDICTION.NEITHER YOU NOR GOOGLE OR ANY OF ITS LICENSORS MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN $1,000.
The limitations of liability in this Section do not apply to breaches of intellectual property provisions or indemnification obligations.
Second, even if those consequences are somehow considered a "direct" consequence of a privacy breach, no one responsible stands to pay more than $1,000 -- a drop in the bucket compared to the cost of medical care. The only caveat to this point is that individual state law may trump these provisions, at least in consumer-friendly places like California.
Why does this matter? The history of personal-data breaches at corporations has been one long catalog of negligence over the past decade or so, and that situation seems unlikely to change unless companies find themselves strictly liable for any damages resulting from such disclosures. Banks that issue credit cards, for instance, are awfully diligent about keeping an eye out for fraud because they're on the hook for any wrongful charges above a token amount.
So even if Google's liability protections won't hold up in every circumstance, they still have the insidious effect of muddying its responsibility -- and that of its corporate partners -- to exercise the utmost care in protecting users' health data. That's one more major shortcoming of the service, which I'd add to the seven other Google Health flaws I wrote about previously.
All that, in turn, reduces Google Health's vaunted privacy policy to a simple question of whether you really, really trust the company's "Don't Be Evil" slogan -- and are also willing to believe that it extends to every partner Google Health does business with.