Dr. Goldberg is Director of Skin Laser & Surgery Specialists of New York and New Jersey, Director of Mohs Surgery and laser research, Mt. Sinai School of Medicine, and Adjunct Professor of Law, Fordham Law School.
Dr. Skin has a large, skin cancer-based practice in a large metropolitan area. Many of his patients are highly successful businessmen who travel extensively to many parts of the world for long periods of time.
Some of these patients have had multiple skin cancers, including melanoma. Because the patients travel so much, they have medical records in multiple physician offices - often in multiple countries.
Because of this, it has become increasingly difficult for Dr. Skin to keep organized records of his patients' medical care.
Recently, Dr. Skin became aware of Google Health, a free service that provides consumers with electronic personal health records (PHR), with the aim of solving the problems associated with Dr. Skin's patients. This service is analogous to an online filing cabinet, where patients can securely store their medical records in a single centralized location.
Information added to a patient's Google Health profile is accessible from anywhere in the world, as long as the user has computer Internet access. This portability and convenience can be of great benefit to many patients, especially those who have changed employers, changed health insurance plans, seen multiple physicians or moved on a regular basis.
Google Health provides patients with the opportunity to take current medical records stored in many physician offices, scattered in many places, and consolidate them in a single, easily accessible place that is independent of any particular health plan, physician or place of work.
Dr. Skin has now been recommending that all of his patients use Google Health and has, as a courtesy, been entering his own patient records on their own respective Google PHR once he has received signed permission to do so.
There's only one problem that has surfaced - Google Health is not covered by the Health Insurance Portability and Accountability Act (HIPAA). Dr. Skin must comply with HIPAA, of course, but because Google is not a covered entity, it doesn't have to comply with HIPAA's privacy or security provisions.
In theory, Google could sell its customers' personal health data to marketers, bombard them with advertisements from drug and device manufacturers, and breach its users' trust with little to no legal consequence. Has Dr. Skin, by transferring records to Google Health, committed a HIPAA violation?
The privacy rules of HIPAA apply only to "covered entities." Covered entities, in general, are health plans, healthcare providers and healthcare clearinghouses. These entities can disclose private healthcare information only in carefully limited circumstances, such as for medical treatment or payment purposes, or if the disclosure is required by law.
In addition, HIPAA requires covered entities to release only the limited amount of information necessary under the circumstances.
Although HIPAA provides many protections for patients whose records are held by a covered entity, its protections do not extend to records the patient has voluntarily transferred to a third party, such as Google Health.
The HIPAA Privacy Rule applies to all health plans. A health plan is defined as "an individual or group insurance plan that provides or pays the cost of medical care." This definition applies to both private and government-sponsored health benefits, but it does not apply to Google. Because Google is not an insurance company and does not provide or pay for medical services, it does not qualify as a health plan.
Although Google Health does help patients organize their medical records, the company does not provide any actual medical care. Similarly, although patients may use Google's search engines to assist in diagnosing their own illnesses, Google does not provide any formal medical advice. As a result, Google does not qualify as a healthcare provider.
In the end, as long as Dr. Skin has received permission to transfer medical records to Google Health, he has not committed a HIPAA violation, regardless of what happens to these records once uploaded to Google Health.
David Goldberg, M.D., J.D., is director of Skin Laser & Surgery Specialists of New York and New Jersey, director of laser research, Mount Sinai School of Medicine, and adjunct professor of law, Fordham Law School.