Google Health: First Failure of 2012

At the stroke of midnight on New Year's day, Google Health, the personal health record data aggregation service for consumers, will shut down for good.

Google first made the announcement quietly, in a blog post last June. But the closure of Google Health next month is also an important inflection point for public cloud-based services.

Google Health's failure shows that there are limits to how far users are willing to go in allowing access to personal information in exchange for free services. Will other initiatives soon follow?

Google's goal was "to create a service that would give people access to their personal health and wellness information," all in one place. It did not provide federated access to the data, but physically moved the data to its servers. It wanted to "translate our successful consumer-centered approach from other domains to healthcare and have a real impact on the day-to-day health experiences of millions of our users," according to Google's blog post.

Google anonymized, or "de-identified" users' personal health data for purposes of data mining and publishing trends, most famously the trending information on influenza outbreaks. But its privacy policy precluded sharing of personally identifying information, and even de-identified information, with third parties. 

Google also did not sell general advertising in Google Health or targeted advertising based on health information stored in users' profiles. Its privacy policy states: "We do not sell user health information, and we do not share it with other individuals or services unless a user explicitly authorizes us to do so, or in the limited circumstances described in our privacy policy."

Despite this, Google Health never took off. In the end, I believe that Google was unable to allay privacy fears for the data consumers were entrusting to it. The problem can be summed up in one sentence on Google's privacy pages: "Unlike a doctor or health plan, Google Health is not regulated by the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes data confidentiality standards for patient health information."

The idea that users would be willing to transfer personal health record data from health care providers, where data privacy is protected by federal HIPAA regulations, to Google servers, where protections are less stringent, was flawed from the start.

Google tried to provide similar privacy assurances to users in its own privacy policy, and notes that consumers could pursue penalties if Google did not adhere to that policy.

Google argues in its privacy policy that  "Under Section 5 of the Federal Trade Commission Act, the FTC enforces privacy protections in the Google Health privacy policy through civil and criminal penalties. State attorneys general and district attorneys have similar authority under general consumer protection laws."

But users of the service were still playing by Google's rules. To use the service consumers had to move their data out from HIPAA-regulated health provider databases, and trust that Google would not change its privacy policies.

While there is an unmet need for an aggregated view of all personal health records, both for consumers and for medical professionals, Google Health was not the solution.

R.I.P., Google Health.

Note: My original post stated that Google had provided advertising on Google Health, which is incorrect. The post has been substantially revised to address this error and to clarify its privacy policy.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon