Fred StutzmanThoughts about information, social networks, and privacy

Google VP Marissa Mayer has posted some more information about Google Health on the Google Blog. The first bullet point of her post deals with privacy, with the official position still ambiguous:

Due to the sensitive and personal nature of the data that will be stored in Google Health, we need to conduct our health service with the same privacy, security, and integrity users have come to expect in all our services. Google Health will protect the privacy of your health information by giving you complete control over your data. We won’t sell or share your data without your explicit permission.

So Google Health is going to give me the option of selling my health records? And realistically, shouldn’t we expect greater privacy for personal health data as opposed to say, our Google reader? Of course, none of this addresses the question regarding Google’s reading of the records, nor does it address the format of storage. Based on the comments to my last post (they’re great, do read), it seems that I’m the naive one for ever assuming that Google wouldn’t be reading and profiling me based on my records. I’m following privacy expert Michael Zimmer as he tracks the issue.

The main reason I’m posting today is because, in the Google blog post, Mayer posts screenshots that contain links to the Google Health privacy policy. I can’t find this policy anywhere, but if a reader or anonymous Googler might leave a comment directing me to the policy, I’d love to read it. Frankly, I’ve never been so excited to read a privacy policy.

Another note of worry comes from Mayer’s characterization of Google Health’s development strategy. She says “We’re proud of the product that we’ve designed and are continuing to build, but recognize that we are just at the initial stages of our “launch early and iterate” strategy.” This strategy may work fine at your average Web 2.0 startup, but these are health records we’re talking about, and serious partnerships with major health care and insurance vendors. Frankly, this doesn’t lend itself well to the “launch early and iterate” philosophy.

I wish Google would show a little more respect for this very special data.

Update: Michael Zimmer has posted on this new development:

We need to learn more about what Google is contemplating here: What plans exist to sell or share my medical data if I do give explicit permission? How will my data be used, and by whom? How will my permission be granted? Will I know who is using the data and how? Can I decide I want to share it with certain parties and not others?

With the announcement of a Google Personal Health Records (PHR) pilot program, the company adds medical records to the gowing dossier of information it collects about its consumers. CNN reports:

The pilot project to be announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google’s new service, which won’t be open to the general public.

Using a secure API, patients can transfer their health records to their Google accounts, creating a transportable repository of health information. Just as one might import IMAP folders into Gmail, soon we’ll all be moving our health records to Google.

This program raises numerous privacy concerns. Primary is the question of access; when one imports one’s health records to Google, does this mean Google gets to view the records? If one reports a cigarette pack history during a physical exam, will Google now flash ads for smoking cessation products to the user?

Google engineer Alan Newberger half-addresses this concern in a blog post, stating “Above all, health data will remain yours — private and confidential. Only you have control over when to share it with family members and health providers.” What does private mean? In context, Newberger is talking about transfer control, he’s not addressing whether Google gets to peek in on your records as well. Perhaps Alan will clarify?

It would be fairly trivial for Google to design a system that is truly private. Germany, for example, uses a PHR system that stores encrypted records. Only when a patient presents her “health card”, which decrypts the records, do they become viewable. Google certainly could design a system like this, but it would be of no benefit to their core marketing business.

While this is only a pilot program, it will grow quickly. According to Newberger, “We’ve been hard at work collaborating with a number of insurance plans, medical groups, pharmacies and hospitals.” If Kaiser and Blue Cross and CVS decide to play along, almost all of us lucky enough to have health care (sigh) will have the option to import our medical histories to Google’s servers.

Assuming that Google will be able to read our records, and I’ll update this if I’m wrong, let’s consider the ethical leap this is for the company. Can I ever really give informed consent when I’m trading my health records, deeply personal and private information, for the measly tradeoff of what essentially boils down to online hosting of text files? Sure, I’ve already given Google my search and communication information, but they had to work for it. But my entire medical history just so I can access it when I want? And they can market to me with that information? This is simply too much to give away for convenience.

I hope that someone can clarify the question of privacy. Will Google read my health records, or will the be stored encrypted, supposedly blind to the Google all seeing eye?