Google quietly announced a new service last week: Google Health. Google bills the service as an application "to store and manage all of your health information in one central place." To that end, users are encouraged to log in to the site, and begin entering all of their most personal healthcare records into Google's server farm.

Yet Google has declared itself exempt from HIPAA, the law regulating how consumer health data can be stored and transmitted electronically, which should make consumers think twice about entrusting their healthcare data to the tech giant.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). Title II of HIPAA mandated that the Dept. of Health & Human Services (HHS) promulgate regulations for standardizing and protecting the transmission of consumer medical data. The regulations are far from perfect, but they do set out a number of best practices and fairly onerous data security requirements.

Unfortunately for consumers, Google doesn't think it has to abide by them. From the Google Health Terms of Service:

Google is not a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder ("HIPAA"). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

While this is a convenient argument for Google to make, I don't buy it;1 and I find it troubling that Google is acting as an unregulated entity with full access to its customers' most sensitive healthcare information. Google has a poor track-record with respect to security vulnerabilities, and refuses as a matter of policy to disclose them. Not to mention, Privacy International has ranked Google as among the worst Internet companies for protecting customer privacy.

In the end, consumers will decide whether Google Health succeeds. This consumer will be waiting for Google to step up to the plate and comply with HIPAA before signing up.

1. 1. The relevant HIPAA regulations apply to three types of entities: healthcare providers, healthcare "clearinghouses," and health plans. 14 U.S.C. Sec. 1320d–1(a). A healthcare clearinghouse is defined in the statute as follows: "The term 'health care clearinghouse' means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. " 14 U.S.C. Sec. 1320d(2). How exactly is this different from what Google is doing here?