Google VP Marissa Mayer has posted some more information about Google Health on the Google Blog. The first bullet point of her post deals with privacy, with the official position still ambiguous:
Due to the sensitive and personal nature of the data that will be stored in Google Health, we need to conduct our health service with the same privacy, security, and integrity users have come to expect in all our services. Google Health will protect the privacy of your health information by giving you complete control over your data. We won’t sell or share your data without your explicit permission.
So Google Health is going to give me the option of selling my health records? And realistically, shouldn’t we expect greater privacy for personal health data as opposed to say, our Google reader? Of course, none of this addresses the question regarding Google’s reading of the records, nor does it address the format of storage. Based on the comments to my last post (they’re great, do read), it seems that I’m the naive one for ever assuming that Google wouldn’t be reading and profiling me based on my records. I’m following privacy expert Michael Zimmer as he tracks the issue.
The main reason I’m posting today is because, in the Google blog post, Mayer posts screenshots that contain links to the Google Health privacy policy. I can’t find this policy anywhere, but if a reader or anonymous Googler might leave a comment directing me to the policy, I’d love to read it. Frankly, I’ve never been so excited to read a privacy policy.
Another note of worry comes from Mayer’s characterization of Google Health’s development strategy. She says “We’re proud of the product that we’ve designed and are continuing to build, but recognize that we are just at the initial stages of our “launch early and iterate” strategy.” This strategy may work fine at your average Web 2.0 startup, but these are health records we’re talking about, and serious partnerships with major health care and insurance vendors. Frankly, this doesn’t lend itself well to the “launch early and iterate” philosophy.
I wish Google would show a little more respect for this very special data.
Update: Michael Zimmer has posted on this new development:
We need to learn more about what Google is contemplating here: What plans exist to sell or share my medical data if I do give explicit permission? How will my data be used, and by whom? How will my permission be granted? Will I know who is using the data and how? Can I decide I want to share it with certain parties and not others?
I think it is obvious that she is talking about the development of the UI or the user experience, not the backend. So there would be no need to worry so much about that. a
Fair enough, but I honestly don’t think a product that deals with data like this should be treated with such a laissez-faire attitude. Just my opinion.
I felt the same way when I read this. Google Health is radically different from Google’s other services with respect to privacy and it’s surprising that they don’t seem to realize this.
AFAIK you need to have access to the program to view the privacy policy. I couldn’t find it.
If you want medical records policy look into HIPA
To address the privacy fears associated with Google health records, patients might post legal terms and conditions in their records. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html
I think they’ve missed the boat on this one. You’re point about privacy is good — I can imagine the paid advertisments I’ll get on the side when I get diagnosed with ED. All kidding aside, it’s a good idea but I don’t think it will be used by most people. They could have used their computing power to better organize primary care.
I don’t think that google has hit the mark with this product but business sense aside how do they plan on meeting privacy policies across borders? Presumably there servers are all over the world and subject to different privacy laws? I assume they’ll have to limit access to the user and sign a contract with the user/Google then it becomes a civil issue not a medicolegal one? http://www.waittimes.blogspot.com