Google Health, which gives users instant electronic access to their health histories, launched this week. The service allows users to link information from pharmacies and care providers, with plans for more health information access.

Partnerships with Google Health have already been announced with Walgreen’s, CVS, Longs Drugs Stores, AllScripts, Quest Diagnostics, and the Cleveland Clinic.

Users sign up to allow Google Health access to health information, giving users opportunities to customize their profile with information on prescriptions and doctors. Users can also search for doctors from within the system. Google has been receiving millions of search requests from people trying to find information about injuries, illnesses and treatments, and Google Health was their solution.

In general, privacy watchdogs feel Google already has access to too much information about its users, and this merely adds to that. Google Health services are not covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires that anyone seeking your medical records subpoena you and give you a chance to deny access.

By providing access to your health records to Google Health, HIPAA rules no longer apply. The Google privacy policy may not be enough to protect your medical records as strongly as it should be. Google representatives say that health information is stored on the most secure computers at Google, but the Google TOS gives some pause. Unless you actively disable it, you are giving Google access to give your data to third parties:

If you create, transmit, or display health or other information while using Google Health, you may provide only information that you own or have the right to use. When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

The privacy policy says that a copy of your data may still be retained after you disable such access:

If you share your information with others, you can view a list of who has access to your information and you can revoke sharing privileges at any time. When you revoke someone’s ability to read your health information, that party will no longer be able to read your information, but may have already seen or may retain a copy of the information.

Google explains the difference between their policies and HIPAA in this blog post and in this very handy comparison chart. It does help to answer questions about security, although I still think the “access by default” approach is a dangerous one. In the end, you must decide if you trust Google enough to have access to your information. And you must take an active role in determining what third parties, if any, you wish to access that information.

What do you think of Google Health? Will you sign up?

Via ZDNet, AP, Technology Review Tags: google health, hipaa, medical information, data security, medical data, personal records, privacy, medical identity theft, google, google services