Neil Versel of BNET reports:
Although Google and Microsoft have gotten plenty of attention for their Web-based personal health records, both companies have long maintained that they’re not bound by the privacy protections of a 1996 federal law known as HIPAA. And despite a recent HIPAA change — one intended to extend its privacy provisions to services like Google Health and Microsoft’s HealthVault — both companies still insist they’re not bound by the law.
… “Our understanding is that HITECH, which is the jargon for [the health IT] part of the legislation, did not change the definition for a covered entity or a business associate, so our service is offered directly to the consumer,†Google Health Product Manager Roni Zeiger told Modern Healthcare last month. “[O]ur understanding is that we are neither a covered entity nor a business associate,†he continued. “We’re providing a service directly to the consumer or a patient.â€
iHealthBeat has more on this issue.
You have to wonder what will happen with all of this information in one place. Without HIPAA, there are no penalties if Google’s beta goes awry. We already have problems with physicians dumping records. If Google drops a few million users info on the net for a few minutes, the results could be catastrophic.
It’s a potential privacy Chernobyl, to be sure.
What do you think about their interpretation of the new law? Do you feel that the law does cover their services?