Blog Post

Google Creates Giant SSN Database

Earlier this month, Google announced a pilot program with the Cleveland Clinic to store patients’ medical records online. Privacy and security concerns were raised, notably that Google doesn’t have to abide by confidentiality rules that govern doctor-patient relationships dictated by HIPAA.
However, Google’s plan to put patients in control of their own records and make those records transferable is a useful one, especially to anyone who has filled out four or five paper forms every year at three or four different doctors. As for the very real privacy concerns, medical records aren’t too secure, anyhow. And think about the synergies created by storing medical records online combined with the genetic data provided by Google-backed 23&Me.

19 Responses to “Google Creates Giant SSN Database”

  1. Guess what, google, no more doctor visits for me! Ive been told that if you dont go back for 9 months, the info goes poof! They can add to your medical data base, BUT THEY CANT FORCE YOU TO SEE A DOCTOR! bIG bROTHER’S OUT OF LUCK THIS TIME.

  2. I refuse to give my SSN to any medical facility or professional and have been doing so for 15 years. In the beginning they insisted on it and I would question that insistance and what did they need it for? They never had an answer. Today, I tell them upfront that I refuse to give them my SSN, that they don’t need it. I have no problems after that statement.

    Years ago I also found out about the medical database that supposedly has all medical records on everyone. To find out if you were in the database, you sent them $7.00, your name, etc. they in return would mail you the information if you were in the database or not. I was not.

    When I see a new Dr. I also tell them that I do NOT want personal things in their records and would prefer if the records were kept to a minimum and as generic as possible. All Drs. I have requested this of have kept their promise and make my records with as little detail as possible. How do I know? I as to see my medical records. I would rather remind them of problems than have them written down and sent all over the country.

    Now, why am I so firm on this, about 16 or so years ago I was trying to get medical insurance and gave one of my Drs. name and when he was contacted, he told them some information that rejected me from getting the insurance. That kept me from getting medical insurance for years. The problem was that this Dr. had done no tests, had no concrete evidence of that information, it was just a guess on his part.

    Now, I would like to know why people give out their SSN’s like it is no big deal? With the way the world is today, it is a big deal! Even your address is a big deal. Isn’t all of this the reason we shred our mail?

  3. Folks, you appear to forget that it’s the patient’s CHOICE to create an account with Google and that they are the only ones who can control WHO they share their information with. And for those who appear to not be up to speed on HITSP and HL7, there are standards in place for transacting this data upon request by the patient.

    As for HIPAA presiding over the way the data is transacted (under a BAA or not), the jury may be out on this one. It seems there is chatter under way about whether entities who store the data, at the request of the member, should be classified as a covered entity under this rule. For now, organizations like Google and Microsoft are not covered entities.

    Minor point on HIPAA for the fearful, employer groups who send their membership rosters (containing all sorts of PHI data) to their health plans are not covered entities either thus are not subject to transacting the eligibility data in a manner consistent with the transaction set standards of HIPAA.

  4. – the current application has an opt in – but remember that your medical service provider owns your medical records so it should come as no surprise that in future you may not have a choice if your service provider decides to do that just for the economic benefit to them. Especially if Google gives a cut of the advertising. Pharmaceutical market is mega B$ and TV has proved that advertising drugs directly to the end user sells mountains of pills.

    Clearly this is not a portability play – it’s an advertising play in a very, very lucrative and captive market. Repeat after me Google is an advertising company, Google is an advertising company ….

    So not only will you not have a choice but you will be subjected to targeted ads to boot ….

    What will you get in return? “convenience and portability” — something you could get with a keychain drive with security and ownership of your data.

  5. OK, so Marissa Meyer claims making data portable means putting it in Google ?????

    Can I get my data out of Google and delete it from Google or will they keep a copy for ever? Can I get a secure API for my data in Google so I can mash it up and only I have the key and Google only sees strongly encrypted bits. Putting data in Google is the exact opposite of making it portable – Google is a “roach motel” for data. Suddenly we are supposed to trust them becuase they say so – what expertise do they have in providing data portability services – what is their track record in this area ? Who will ask these questions ?

    Google is not now and has never been a vendor of portable data for god’s sake. This Orwellian approach to language is enabling a benevolent appearing Big Brother to be created before our eyes and with our tacit approval. Especially when this is about private data aggregation by vendors, IMHO GigaOm should be far more critical and skeptical about claims made by vendors and ask for a lot more than press releases.

    Large vendors like Google, Yahoo, and recently Skype have always “co-operated” with governments – whatever that means.

    Talk to the people in China whose data has been freely shared with the Chinese government. The late Rep Tom Lantos of California called Yahoo a “technological giant but a moral pigmy” for their behavior. Will Google resist when the any government comes knocking? Playing fast and loose with personal data in the interests of “neat technical solutions” is laying the groundwork for a complete annnihilation of individual rights.

    Want your medical data to be portable and on thee web? Ask vendors to provide a solution where all data in the cloud is strong-encrypted with keys available on a keychain drive physically controlled by the owner of the data and in the keychain drive the primary copy of the data resides. THAT is portable AND secure in the dictionary sense of the word. It is not just hand waving by the Marissa Meyers of this world which is supposed to be taken at face value just because at one point someone somewhere mumbled “don’t be evil” and then kept on doing exactly what they had before.

    With all due respect we expect a lot more tire kicking on such a huge subject, and a lot more skepticism. Otherwise bloggers run the risk of looking like MSM in being mouthpieces of the vendors.

  6. I am sure Google will comply with the medical standards. I just want to ask you, do you have complete medical history? Many of us would say no. But if we have a good record keeping it will help the doctors to formulate a better plan for us. Would you rather have handwritten records that no body can recognize or digital records? It will help the pharmacies to give the correct prescription.

    Regarding the title, they may save the SSN number but that doesn’t mean Google will share it with everyone.

    We already have too much online data in Stocks (Etrade, Sharebuilder), Banks (Wamu, Mint), Shopping (Amazon,, so what is the big deal as long they maintain security.

  7. Alexander Sicular

    To say that Google does not have to abide by HIPAA is just plain wrong. I, too, work in healthcare IT and I know for a fact that when we work with outside vendors that need access to healthcare related data they need to sign a vendor agreement that legally binds them to the same provisions as the institution. Where do you think the medical data is coming from? Cleveland Clinic which just happens to be a major healthcare provider. There is no way Cleveland Clinic or any other medical data repository could hand over data to a third party without an obscenely massively thick legal accord that would require the third party to be a doggedly stalwart steward of that data.

    According to the linked Cleveland Clinic press release “…an invitation-only opportunity offered to a group of Cleveland Clinic PHR users, plans to enroll between 1,500 and 10,000 patients.” this is an opt-in program. Patients will be solicited and no doubt have to agree, in writing, to have their information be accessible to Google in the proposed system. Nevertheless once that data resides electronically within a vehicle that the patient has access to that patient has the right to share that data with whomever they see fit.

    This may be a bit off post but in regards to using this data in a research capacity, there is a board of governors at every research institution called the “Institutional Review Board” (IRB) that authorizes when and in which way data may be used for ongoing research. In order to use pre-collected data an investigator would have to seek and receive permission from the original primary investigator, consider patient solicitation is not permitted. I’m confident data may be used in aggregate for other purposes like public health purposes though.

    Regarding SSN information, it is true that SSN data has been routinely collected and maintained by healthcare institutions. However, new rules are being implemented that discourage this practice by enforcing strict penalties for SSN misuse. My institution happens to be located in NYC and we have been counseled by our legal staff to discontinue SSN usage in future projects and strictly limit access in current systems to comply with these new rules at the NY State level. If I were asked to advise Cleveland Clinic and Google on this project I would just as soon recommend that they omit SSN data when “integrating with the Google platform.”

    I would like to disclose that I am not a lawyer or an expert on HIPAA. However, I have been in the medical IT field for close to a decade creating systems that are in production at a major university teaching hospital in NYC and am well aware of the legal constraints of HIPAA and “personal, identifiable, health information” better known as PHI in the industry.

  8. I think we are way overdue for health information to be stored and shared electronically. However, regardless of who is in charge of that, I do think they need to be subject to HIPAA regulations. The problem is that no one really enforces those. I’ve worked on the business and IT sides of health care and 2 hands are definitely not enough to count all the major companies that blatantly violate HIPAA regulations (some trivial, some not) every day.

    When I was on the business side I would get several unsecured emails each week from insurance companies sending SSN’s, full names and other private data. After years of no repercussions many people feel they have no incentive to go through the extra time consuming steps required to save guard PHI.

  9. Stacey Higginbotham

    @Tim and DEC, maybe I was getting too clever. Most medical records contain social security numbers, and as such, Google’s repository of health records will also contain SSNs. It’s just a reminder that medical records contain more than health information.

  10. So who is giving Google the right to put someone’s healthcare data in their own system? And simply saying that data is not secure anyway, so don’t worry about security, is well, rather lame don’t you think?

    What is next? Another unholy trifecta like Experian, Transunion et al, with all one’s financial data merging that with your health data–with NO say so from the actual user?

    What rights does a medical patient sign over to google for this data?
    Does google get to cross reference this to your google mail account and then offer targeted advertisements based on your health?

  11. Nick,

    No flame here, but saying that this is a solution looking for a problem is like those folks that said, “what do I need a mobile phone for? I have one at home.” Of course they were perfectly correct, but a touch short-sighted. I agree with you that an agreed upon framework will make your life a lot easier and probably entirely necessary for that “vast majority” you are speaking of.
    With the 800-pound Google leading the way that “agreement” may be whatever they say it is. And you are right, it is an interesting idea–interesting enough to merit Google’s attention. If they are on the scene it will get done. I just hope they are consulting with dudes like you who are in the trenches everyday on this issue so they get it right.
    I don’t love Google, but I would just as soon have them do it rather than leave the door open for four other players with competing philosophies to muddy the water for you and the public. We’ll see…

  12. Not to be pedantic, but HIPAA only has one P and two A’s. I work in healthcare IT and this irritates me to no end.

    As for putting the Patient’s EHR online, it’s an interesting idea, but I’m not sure that there’s a good mechanism in place for me to go from one healthcare system (Cleveland Clinic) to another (say, University of Chicago). Unless you have an agreed framework to work with, it might be easier and less of a hassle to stick with the paper forms. Between HealthVault (Microsoft’s entry), there’s no agreed standard, just two companies leading the charge.

    In my opinion of living in the world of healthcare IT, this is a solution looking for a problem.

    The idea of “portability” is a cool thing, but for a vast majority of patients the solution will be too difficult.