Why Google Health and HealthVault are not covered by HIPAA

Fred Trotter sent out this note to several health IT bloggers recently.

Recently slashdot referenced two uninformed comments on Google Health offering.


The problem here is that HIPAA should NOT cover Google Health or HealthVault. This issue now dominates this debate, and I wanted to specifically point out some of the problems with this thinking.


Fred does a great deal of wonderful healthcare and IT writing. His latest argument for why HIPAA does not cover Google’s or Microsoft’s PHR offerings makes a lot of sense and is well worth reading. Vendors of technology are generally not covered entities unless they are somehow participating in the care process and I think everyone’s making a big deal about "Google is not HIPAA compliant" or "Microsoft has privacy problems" for very little reason.

Newsletter Sign Up

4 thoughts on “Why Google Health and HealthVault are not covered by HIPAA

  1. Shahid,

    Even if Google Health, Microsoft HealthVault, Dossia, etc. WERE covered by HIPAA the question would still go begging …

    Is there to be a critical mass of internet users who will actually put their medical profile online under the current privacy paradigm?

    I believe the answer is proving itself to be a clear and resounding ‘no’.

    There must be a shift from the prevailing privacy paradigm (whether enforceable through HIPAA or the contractual Terms of Service provided by Google Health, etc.) toward a paradigm of technological data ownership.

    When that happens, then I’ll say, “Now you’re talking!”

  2. Few people are talking about the risks of sending emails through unsecure connections and the possible legal implications of someone intercepting or accidentally receiving protected health information (PHI).

    There are free secure email encryption services out there like http://www.hisecure.net.

    Nice Blog!

    Some info on hisecure.net:
    up to 4096 bit encryption
    all email communications take place over a secure connection (https://)–>Not just the login!
    secure sever, climate controlled, only authorized staff has access to server
    firewall, anti-virus, logs of any/all attacks
    secure off-site backups, fail over email system, redundant power, RAID HDs

  3. Trotter’s column misses the point entirely, and clearly does not understand privacy law. The reason to put Google under the HIPAA privacy and security rules is not to control Trotter’s ability to use and disclose the information. The purpose is to control Google’s ability to use and disclose the information. Under current law, Google can change its privacy policy at any time. Under current law, no minimum standards of IT security apply to Google as a matter of law. This situation will adversely impact on Google’s ability to get a critical mass of users for this service.

  4. I found your blog on google, and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work. Look forward to reading more from you in the future.

Add Comment