Governance & Risk Management , HIPAA/HITECH , Privacy
Google's Push Into Health Sector: Emerging Privacy IssuesRegulatory Attorney Alisa Chestler on Critical Considerations
With Google aggressively expanding its push into the healthcare sector, critical privacy-related issues are emerging, says regulatory attorney Alisa Chestler.
Google announced Nov. 1 that it plans to purchase fitness tracker maker Fitbit in a $2.1 billion deal.
Then on Monday, Google and St. Louis-based Ascension announced a collaboration designed to improve patient care that reportedly involves Google having access to data on about 50 million patients - without the patients' permission (see: Privacy Analysis: Google Accesses Patient Data on Millions) .
Google and Fitbit say consumers' health and wellness data will not be used to serve up appropriate Google ads. "I guess the question is whether [the fitness-related data] could be married to other projects, creating a larger database on each and every person," Chestler says in an interview with Information Security Media Group.
Consumer fitness and wellness data collected by Fitbit devices "is likely not covered by HIPAA at all," she says, meaning the information isn't held to the stricter federal regulatory requirements for safeguarding protected health information.
But the California Consumer Privacy Act, which goes into effect Jan. 1, and some other state privacy regulations "will potentially have some very big impact," she predicts.
While Chestler declines to comment on Google's deal with Ascension, she notes that all health data sharing relationships between healthcare entities and vendors must be carefully vetted.
Under a HIPAA business associate agreement, health data can be disclosed by covered entities to vendors for certain purposes, she notes. "But what you have to think about is how the information is being used. While it potentially may be used for the greater good ... it still needs to stay in line not just with HIPAA but with state law issues," she says.
Alliances that involve the sharing of health-related data with companies like Google must be carefully thought out, she adds. That's because such data collections "to a large degree may be completely unregulated."
In the interview (see audio link below photo), Chestler also discusses:
- Developments involving HIPAA, the California Consumer Privacy Act and other privacy regulations;
- Recent and future HIPAA enforcement activities by the Department of Health and Human Services' Office for Civil Rights;
- Data privacy and security trends that healthcare organizations should be watching in the year ahead.
Chestler is a shareholder in the law firm Baker Donelson who chairs its data protection, privacy and cybersecurity team. She concentrates her practice on privacy, security and records management issues; healthcare and insurance regulatory compliance; and corporate transactions matters.