1. Human Genetics
  2. Google Enterprise meets HIPAA and

Google Enterprise meets HIPAA and HITECH Compliant Laws

Posted on by

[in response to comment from sockpuppet? about how Google is "not HIPAA compliant" and that its use is "a felony."]

If you pay for Google Enterprise, Google Enterprise works for healthcare. Google is secure, Google is private, and Google is reliable. Google Enterprise today is the world’s best software system generally and thus immediately applicable to healthcare systems specifically. I can say this with the confidence of working experience because I, my colleagues, and my patients successfully use Google Enterprise to provide medicine in medical practice today. I have the experience to understand the superiority of Google Enterprise over competing and legacy systems both technically and economically. I respect and trust the claims of Google’s commitments to privacy, security, and ethics.

I do know that any form of “disclosure” of “protected health information” for reasons including “commercial advantages” is both unlawful and unethical. However, I am not aware of any such violations in a property configured Google Enterprise service.

So: yes, the Web 2.0 of selling user data for targeted advertising does not apply to medicine —nor should it. It’s wrong. It’s unlawful. Sell an honest system for an honest price. Let people have their dignity —even when its so tempting, so profitable, so easy —it’s within your power, yes?— to convince us otherwise —briefly. Medicine is serious. People are sick. Everybody dies. You die. Have some respect. Trying to solve “not dying” is not a silly game. I would appreciate some gravity where gravity is appropriate and some privacy where privacy is appropriate regarding a service presented to be entrusted with the life and death of other people.

Google Enterprise Terms of Service: covers 45CFR165.502 clauses

http://www.google.com/apps/intl/en/terms/premier_terms.html

A known misconception among engineers is that support staff must not be able to disclose patient information to themselves during regular system maintenance. However, the Code of Federal Regulations specifically does allows such disclosures as cited below.

It is appropriate in medicine.

Law citations regarding disclosure of protected health information for administrative use

(emphasis mine)

CITE: 45CFR165.502

(e)(1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.

(2) Implementation specification: documentation. A covered entity must document the satisfactory assurances required by paragraph (e)(1) of this section through a written contract or other written agreement or arrangement with the business associate that means the applicable requirements of 164.504(e).

CITE: 45CFR164.504(e)

(e)(1) Standard: Business associate contracts. (i) The contract or
other arrangement between the covered entity and the business associate
required by Sec. 164.502(e)(2) must meet the requirements of paragraph
(e)(2) or (e)(3) of this section, as applicable.

(2) Implementation specifications: Business associate contracts. A
contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of
such information by the business associate. The contract may not
authorize the business associate to use or further disclose the
information in a manner that would violate the requirements of this
subpart, if done by the covered entity, except that:
(A) The contract may permit the business associate to use and
disclose protected health information for the proper management and
administration of the business associate, as provided in paragraph
(e)(4) of this section; and

[[Page 748]]

(B) The contract may permit the business associate to provide data
aggregation services relating to the health care operations of the
covered entity.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as
permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the
information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the
information not provided for by its contract of which it becomes aware;
(D) Ensure that any agents, including a subcontractor, to whom it
provides protected health information received from, or created or
received by the business associate on behalf of, the covered entity
agrees to the same restrictions and conditions that apply to the
business associate with respect to such information;
(E) Make available protected health information in accordance with
Sec. 164.524;
(F) Make available protected health information for amendment and
incorporate any amendments to protected health information in accordance
with Sec. 164.526;
(G) Make available the information required to provide an accounting
of disclosures in accordance with Sec. 164.528;
(H) Make its internal practices, books, and records relating to the
use and disclosure of protected health information received from, or
created or received by the business associate on behalf of, the covered
entity available to the Secretary for purposes of determining the
covered entity’s compliance with this subpart; and
(I) At termination of the contract, if feasible, return or destroy
all protected health information received from, or created or received
by the business associate on behalf of, the covered entity that the
business associate still maintains in any form and retain no copies of
such information or, if such return or destruction is not feasible,
extend the protections of the contract to the information and limit
further uses and disclosures to those purposes that make the return or
destruction of the information infeasible.
(iii) Authorize termination of the contract by the covered entity,
if the covered entity determines that the business associate has
violated a material term of the contract.
(4) Implementation specifications: Other requirements for contracts
and other arrangements. (i) The contract or other arrangement between
the covered entity and the business associate may permit the business
associate to use the

[[Page 749]]

information received by the business associate in its capacity as a
business associate to the covered entity, if necessary:
(A) For the proper management and administration of the business
associate; or
(B) To carry out the legal responsibilities of the business
associate.
(ii) The contract or other arrangement between the covered entity
and the business associate may permit the business associate to disclose
the information received by the business associate in its capacity as a
business associate for the purposes described in paragraph (e)(4)(i) of
this section, if:
(A) The disclosure is required by law; or
(B)(1) The business associate obtains reasonable assurances from the
person to whom the information is disclosed that it will be held
confidentially and used or further disclosed only as required by law or
for the purpose for which it was disclosed to the person; and
(2) The person notifies the business associate of any instances of
which it is aware in which the confidentiality of the information has
been breached.

Related Posts

Comments are closed.


  1. Human Genetics
  2. Google Enterprise meets HIPAA and