Google’s new privacy policy is still a matter of concern and reservation on Capitol Hill. Google recently announced that it would be folding all of its privacy policies into one, giving the company the ability to share user information across its many services. Several House members remain concerned that the way Google now handles sensitive medical searches may violate the Health Insurance Portability and Accountability Act, or HIPAA.
Google’s director of public policy, Pablo Chavez, and Google attorney Michael Yang were intensely questioned for two hours by members of the House Energy and Commerce committee in a closed-door meeting on February 2. After the meeting, a number of Representatives expressed their dissatisfaction with Google on a number of privacy issues. Representative Mary Bono Mack is concerned, in particular, that Google may be sharing personal health information inappropriately, in direct violation of HIPAA.
“[S]ay you do a Google search for cervical cancer and you forget to sign out,” Bono Mack explained to USA Today. “Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.”
Bono Mack’s concern is that Google will remember the “cervical cancer” search even after the user moves on to another Google service, such as Gmail or YouTube.
But does HIPAA even apply to Google? The Health & Human Services website says that the law applies to “covered entities,” such as health care providers, health plans, and health care clearinghouses. Google certainly doesn’t fall under the health care provider or health plan categories, but could it be considered a clearinghouse? In his article on Search Engine Land, Matt McGee weighs in with a tentative “no.”
Even when Google was explicitly involved in health information (through its Google Health service, which shut down at the beginning of the year), there was some question as to whether it was bound by HIPAA. In its old Google Health privacy policy, the company stated outright that it wasn’t. Its new privacy policy, which goes into effect on March 1, further claims that personalized ads won’t be based on any health-related activity:
“When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.”
Even though Bono Mack insists that the Congressional hearings about online privacy will continue and will involve Google, McGee is of the opinion that the HIPAA angle won’t gain much traction.
Sources:
Rep. Bono Mack Reports on Closed-Door Google Briefing (USA Today)
Google’s New Privacy Policy May Violate HIPAA, Congresswoman Says (Search Engine Land)