Google Health Launched - T&C’s: what are the implications to users?
Posted by Z on May 21st, 2008 -
Today I decided to take a quick look at Google’s answer (Google Health) to M$’s HealthVault. Upon registering for the service I was first greeted with Google’s legal conditions for using the service. As I read them over many issues, thoughts, improvements, and questions came to mind. I post them here for discussion purposes - that is, what do you find unique, beneficial, disturbing, confusing, etc. about what’s below? I plan to follow up to this post with my $.02 once I schedule time to do so, but for now, consider these questions and points:
- Google will share some of your information with its partners - see below
- What if Google is subpoenaed for your health information? How much control do you have over that process?
- Since Google isn’t accountable under HIPAA law what are the implications to you?
- How does what is below tie in with the Google Health Privacy Policy?
- e.g. Google will not sell, rent, or share your information (identified or de-identified) without your explicit consent, except in the limited situations described in the Google Privacy Policy, such as when Google believes it is required to do so by law.
Google Health Terms of Service
GOOGLE HEALTH TERMS OF SERVICE
Welcome to Google Health.
1. Your Agreement with Google
Your use of Google Health is governed by this agreement. “Google” means Google Inc., located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, and its subsidiaries or affiliates involved in providing Google Health.
Google Health does not offer medical advice. Any content accessed through Google Health is for informational purposes only, and is not intended to cover all possible uses, directions, precautions, drug interactions, or adverse effects. This content should not be used during a medical emergency or for the diagnosis or treatment of any medical condition. Please consult your doctor or other qualified health care provider if you have any questions about a medical condition, or before taking any drug, changing your diet or commencing or discontinuing any course of treatment. Do not ignore or delay obtaining professional medical advice because of information accessed through Google Health. Call 911 or your doctor for all medical emergencies.
3. Your Account and Use of Google Health
You must provide accurate and complete registration information any time you register to use Google Health. You are responsible for the security of your passwords and for any use of your account. You must immediately notify Google of any unauthorized use of your password or account by following the instructions at this link: http://www.google.com/support/accounts/bin/answer.py?answer=48601.
Your use of Google Health and any content accessed through Google Health must comply with all applicable laws, regulations and ordinances, including any laws regarding the export of data or software. You must be at least 18 years old to use Google Health.
You may not access Google Health other than by the interfaces provided by Google or interfere with or disrupt the proper operation of Google Health.
4. Use of Your Information
If you create, transmit, or display health or other information while using Google Health, you may provide only information that you own or have the right to use. When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.
Your use of Google Health and any content accessed through Google Health is subject to each of the additional terms provided in connection with Google Health, including the Google Health Privacy Policy, the Sharing Authorization, and the Google Health Legal Notices.
6. Content and Services Accessed through Google Health
Google Health may include content that you find offensive, including health-related content that is sexually explicit.
Google may make third-party services available through Google Health. In order to use a specific service, you may choose to allow the third-party service provider to retrieve, provide, and/or modify health and other information in your account or otherwise share your information with the service provider. Once you enable a specific third-party service provider to access your account, the service provider may continue to access your account until you affirmatively disable access. Third-party service providers include both health care providers and other entities. It is your sole responsibility to review and approve each such third-party service before sharing your information through or otherwise accessing it.
Google may screen, modify, refuse, or remove certain content or third-party services, but is not responsible for and does not endorse any third-party content or services. Google further does not endorse any third-party service providers, other health care providers, products, services, opinions, or web sites accessed through Google Health.
USE OF THESE SERVICES AND RELIANCE ON THIS CONTENT IS SOLELY AT YOUR OWN RISK. GOOGLE MAY NOT BE HELD LIABLE FOR ANY DAMAGES ARISING OUT OF OR RELATED TO YOUR USE OF ANY THIRD-PARTY SERVICE OR CONTENT. Providers of these third-party services and/or content are Google’s “Licensors”.
7. Google Proprietary Rights
Google and its Licensors own all proprietary rights to Google Health. Google gives you a personal, revocable, non-assignable, and non-exclusive license to use Google Health.
8. Modification and Termination of Google Health
Google may place limits on, modify, suspend or terminate Google Health generally, and may suspend or terminate your use of Google Health if you fail to comply with this agreement. This suspension or termination may delete your information, files, and other previously available content. If Google terminates Google Health or your use of Google Health, this agreement will also terminate, but Sections 3, 5, 7, 8, and 10-13 shall continue to be effective after this agreement is terminated.
9. Changes to this Agreement
Google may change this agreement and will post the modified agreement at https://www.google.com/health/html/terms.html. If you do not agree to the modified agreement, you should stop using Google Health. Your continued use of Google Health after the date the modified agreement is posted will constitute your acceptance of the modified agreement.
10. Indemnification
You will defend or settle any third-party claim against Google, any third party Google Health feature providers, or any of Google’s other licensors arising out of or related to your use of Google Health.
11. Exclusion of Warranties
NEITHER GOOGLE NOR ANY OF GOOGLE’S LICENSORS MAKE ANY EXPRESS WARRANTIES, AND EACH OF THEM DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF ACCURACY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. NEITHER GOOGLE NOR ANY OF GOOGLE’S LICENSORS MAKE ANY WARRANTY THAT THE CONTENT IN GOOGLE HEALTH SATISFIES GOVERNMENT REGULATIONS REQUIRING DISCLOSURE IF INFORMATION ON PRESCRIPTION DRUG PRODUCTS. CONTENT IN GOOGLE HEALTH IS DEVELOPED FOR USE IN THE UNITED STATES, AND NEITHER GOOGLE NOR ANY OF GOOGLE’S LICENSORS MAKE ANY REPRESENTATION CONCERNING THE CONTENT WHEN USED IN ANY OTHER COUNTRY.
12. Limitation of Liability
NEITHER YOU NOR GOOGLE OR ANY OF ITS LICENSORS MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR ANY DAMAGES OTHER THAN DIRECT DAMAGES, EVEN IF THE PARTY KNOWS OR SHOULD KNOW THAT OTHER DAMAGES ARE POSSIBLE OR THAT DIRECT DAMAGES ARE NOT A SATISFACTORY REMEDY. THE LIMITATIONS IN THIS SECTION APPLY TO YOU ONLY TO THE EXTENT THEY ARE LAWFUL IN YOUR JURISDICTION.
NEITHER YOU NOR GOOGLE OR ANY OF ITS LICENSORS MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN $1,000.
The limitations of liability in this Section do not apply to breaches of intellectual property provisions or indemnification obligations.
13. General Legal Terms
If you have not signed a separate written agreement with Google related to Google Health, this agreement is the entire agreement between you and Google related to Google Health, replacing any prior agreements. If there is any conflict between this agreement and a signed written agreement between you and Google related to Google Health, the signed written agreement will control.
Google’s Licensors may be third party beneficiaries to this agreement. There are no other third party beneficiaries to this agreement. The parties are independent contractors, and nothing in this agreement creates an agency, partnership, or joint venture.
If Google provides you with a translation of the English language version of this agreement, the English language version of this agreement will control if there is any conflict.
Failure to enforce any provision will not constitute a waiver of that provision. If any provision is found unenforceable, it and any related provisions will be interpreted to best accomplish the unenforceable provision’s essential purpose.
This agreement is governed by California law, excluding California’s choice-of-law rules. THE EXCLUSIVE VENUE FOR ANY DISPUTE RELATING TO THIS AGREEMENT IS SANTA CLARA COUNTY, CALIFORNIA. YOU AND GOOGLE CONSENT TO THE PERSONAL JURISDICTION OF THESE COURTS. Nothing in this agreement limits either party’s ability to seek equitable relief.
April 28, 2008
Sharing authorization agreement
AUTHORIZATION
I hereby authorize Google to share the health information contained in my Google Health profile(s) in its entirety, to only those entities and individuals I designate, for the purpose of providing me with medical care and for the purpose of sharing my information with others that I choose.
I understand and agree that this authorization permits the disclosure of health or treatment information about me, to the entities and individuals I designate, that may also contain sensitive information relating to the following:
* HIV or AIDS
* Mental illness or any mental health condition
* Alcohol or substance abuse
* Sexually transmitted diseases
* Pregnancy
* Abortion or other family planning
* Genetic tests or genetic diseases
I understand and agree that this authorization also covers any record that was created by a doctor or other health care provider other than the doctor or health care provider who supplied the record to Google Health.
This authorization will remain in effect and permit the ongoing disclosure by Google of information in the Google Health Service until I delete my profile(s) in the Google Health Service entirely or revoke the authorization. I may revoke this authorization at any time by using the features or options described in the Google Health FAQ. I understand that my revocation will not apply to actions Google has already taken in reliance on my prior authorization.
I understand and agree that in addition to the information I choose to share, Google may only share information in the limited circumstances described in the Google Health Privacy Policy.
I understand that I may request a copy of this authorization at any time.
May 26th, 2008 at 7:21am
I have read the generic Google privacy policy (GPP) extensively (I based the one for Trainster.net off of it). If memory serves corretly, the GPP requires that any partner they share info with treat your data with at least as much care as Google would.
I also think that every company does exactly what Google is doing. Google just lists it out in the GPP.
I would also think that the Google health policy supercedes any part of the GPP in any area that they disagree(?).
I don’t think this is a pure capitalism play as you allude to. Google will make much more profit in the long run by doing “the right thing”. I think a lot of your concerns are over the governmental power that Google is subject to.
To which, I ask you this: If the government subpoenas Google or any other company for your info, what do you expect them to do? Well, at least in the case of Google, you have your answer.
Centralization of data always makes compromise more risky. The question is does the value you get from said centralization outweigh the risks. I logged in to Google Health, created an account, and sucked in the info from my pharmacy provider (who has an agreement with Google Health). Immediately, Google Health flagged a potential medication conflict. Looks like it’s going to be a convenient service.
One closing comment: The last time you went to the doctor’s office, I can almost guarantee that you signed a waiver giving your doctor’s office the right to share your private info with their partners and affiliates. I’m guessing you didn’t care then, and I’m also guessing that their privacy and security practices are under a lot less scrutiny than Googles (although I will concede and/or defer the HIPAA argument, in which I am not educated).
May 25th, 2008 at 10:34pm
Presto - one big item that’s under scrutiny at the moment is the HIPAA aspect of Google’s privacy policy. HIPAA privacy laws don’t apply to Google, which of course raises some eyebrows. I had a Google Health/privacy discussion with Bill Hersh this past week during a TiE healthcare presentation. We debated a couple points, but ultimately agreed (I think
) that there are plenty of other privacy issues out there which are just as concerning. All in all the industry and people like you will decide. You mentioned “looks to me like it’s fine” but then again, you may say the same thing about your cable operator policies. Ask yourself why you aren’t using their newsgroup services/offerings… 
Sounds to me like you trust Google in general. I do for the most part too, but just as other entities have to hand over information in certain circumstances, so does Google. And just as other companies can change their policies, so can Google. Not to mention that if they decide for whatever reason to change their policies they can (without HIPAA consequences). Google has issued a good response to the HIPAA concerns however.
Their HIPAA response does state they can release your health info “To protect against imminent harm to the rights, property or safety of Google…” - which of course is expected. That is, Google comes first, not you. Just like your cable operator comes first, not you. Point being, there are exceptions to your comment “It says they’ll only share data with people I expressly designate.” As long as people know those exceptions and the consequences all is well.
Don’t get me wrong - I think Google and even M$ are doing the right things here. We need health care reform and we need more smart and innovative people to get involved to make it better. I believe that is what both companies are trying to do. I also believe they aren’t doing it to be altruistic. They are doing it to make money, and when money is involved, it will come first, not the people. Capitalism isn’t necessarily tied to morale imperatives.
One last item, did you read the Google Privacy Policy (which if you sign up for Google Health your health data is also under)? It states: “We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures.” That means you will not be notified of your personal information being accessed by entities Google feels need it to do business - you cool with that? I’d at least like a notification, how hard is that to implement? I’d also encourage you to read the “Changes to this policy” section of the Google Privacy Policy. It’s basically up to them if they change the policy, and furthermore up to them if they even let you know.
Seems to me that the best policy is to just not give a rip about who knows what about you and take reasonable precautions to try to protect your data. Once parts of me start looking like 1001001010001 then it’s a lot easier to get my information. Case in point, Bush showed up in Park City today via Marine One. I heard he was visiting Mitt, so I went to the Park City records web site and found Mitt’s addresses (both in Park City and Boston), how much he paid in taxes, his homes value, and some other personal info. Sure, I could get that info by going to the county courthouse, but since it was digitized it made getting it much easier. Encrypted or not, just having a physical digital connection to things is a risk - see this article on Google hacks already.
May 25th, 2008 at 8:55pm
Looks to me like it’s fine — am I missing something? It says they’ll only share data with people I expressly designate.
I hereby authorize Google to share the health information contained in my Google Health profile(s) in its entirety, to only those entities and individuals I designate, for the purpose of providing me with medical care and for the purpose of sharing my information with others that I choose.