MSU Law Faculty in the News

Experiment with online medical privacy
May 20, 2008
Detroit News Op Ed
By Professor Adam Candeub

Much attention has greeted Google's pilot project to provide electronic medical records online. But concerns about violations of privacy are woefully misplaced.

The Google initiative would permit you and your doctor to access your online records at any time, from any place. It would free you from depending on doctors to mail or fax paper copies to other doctors. And, presumably, it would even give you the power to block access by your own physicians -- a strategy Elaine from "Seinfeld" might have found helpful when dealing with the series of doctors writing unflattering impressions in her medical chart.

Despite these obvious consumer benefits, critics have raised privacy concerns. They have conjured up visions of Google spewing across the Web medical details about your weight, drug history and private parts. Many have even advocated applying the federal Health Insurance Portability and Accountability Act to Google. HIPAA protects patient privacy and now only applies to doctors, hospitals, health insurance plans and others in health care.

Critics of the Google medical records initiative -- being tested at the Cleveland Clinic -- fail to recognize that federal privacy protections are quite limited, even illusory, and the redress they provide against privacy violators is even more insubstantial. Further, as all medical records move toward an electronic format, privacy will suffer regardless of whether Google's initiative takes hold.

Considering the state of medical privacy, the gain from consumer-controlled medical records simply outweighs privacy concerns. Rather than apply a federal medical privacy law to Google, state legislatures interested in protecting privacy should strengthen laws permitting individuals to sue health privacy violators.

While HIPAA prohibits "covered entities" -- such as doctors, hospitals, pharmacists and health plan administrators -- from releasing health care information, you can drive a truck through the law's exceptions. Any health care provider, if he or she thinks it appropriate, may release your health care information to any other health care provider without your consent. If your doctor sells his or her practice, therefore, he or she can sell your records to the new doctor without your consent. Insurance companies may receive information without your consent. So may pharmaceutical companies and other businesses interested in marketing drugs or other health care-related items to you.

The federal health accountability law also allows the government to peruse your records for law enforcement, public health, medical research or myriad other reasons. Arguably, HIPAA only keeps your health care private from those who reasonably should have access -- such as a friend attempting to pick up your prescription from the doctor.

Because the federal law would not apply to Google, your records in its system would lack the law's protections. Only one's password or Google's anti-hacking security would keep your medical details safe.

This might seem flimsy, but in comparison with what? Yes, it is less secure than a paper record in some doctor's filing cabinet, but all medical records are moving to an electronic format. Any electronic medical record, whether protected by Google or your health care provider's computer system, is equally unsafe. Consider the leaks of health care information concerning major celebrities such as George Clooney. In Clooney's case, a hospital employee reportedly gained illegal access to Clooney's electronic medical records during a hospital stay.

Further, patients whose HIPAA rights are violated have no real recourse. They can bring complaints to the Department of Health and Human Services, which, in turn, can issue civil penalties for a whopping $100 per violation, but only if Health and Human Services bothers to pursue civil actions. Despite tens of thousands of complaints and frequent press accounts of rampant violations, the department has issued a handful of fines during the statute's 12-year history.

By giving consumers control, Google gives them responsibility, too. Those who give out their passwords unwisely could lose their privacy, but that is the price we pay for empowerment. If we wish to protect consumers from their carelessness (or any negligence or incompetence on Google's part), states should let individuals sue firms that negligently or intentionally release medical data and those who distribute it. Aggrieved parties could go after such "Internet pirates" in the same way the record companies pursue illegal music downloaders.

Let this Google initiative and its benefits to consumer proceed. Burdening it with useless privacy protections is absurd.

Adam Candeub is assistant professor and acting director of the Intellectual Property and Communications Law Program at the Michigan State University College of Law.