Site Menu

Google Health and HIPAA

By Jim Hietala
Published 06/9/2008

Martin McKeay recently posted a blog entry on behalf of Eric Irvin that describes Google's personal health record services, and their posture relative to HIPAA requirements. The short version of the story is that Google apparently is not legally required to comply with HIPAA because they are neither a provider of healthcare services, nor a payer, hence they are not a covered entity as described in th

e HIPAA act language.

I agree with Eric that Google should comply with HIPAA privacy and security rule requirements, after all, they set a fairly low bar on the security side. I also think that CMS should start thinking about these cases, because we will see more of this in the near future, both from Google and Microsoft, but also from regional health information networks, and other medical record sharing entities that are not technically providers of healthcare services.

Jim

Jim Hietala

Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University.

Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com