The contentious issue is that Google Health, an online repository of users' medical records, is not covered by the Health Insurance Privacy and Portability Accountability Act of 1996, which is designed to protect this very information.
According to this Ha.ckers post, Google, which the blogger says has a poor security record (he says it in much a much more colorful fashion), is not a "covered entity" and therefore doesn't have to comply with HIPAA. The post cites two examples in which serious concerns appear to be handled in a simplistic manner and suggests there are many more.
There is another side to the story, however. This long post by Fred Trotter suggests that it's a good thing that Google Health and HealthVault, a similar service from Microsoft, are not covered by HIPAA. Essentially, the writer says, there is an explosion of health information available on every individual. Going through the HIPAA process creates mountains of data, much of which is redundant. Important facts -- allergies to a medication, for instance -- will get buried and, certainly, not be accessed during an emergency. The writer thinks services that store such information, while they are under the control of the individual, have a tremendous number of potential benefits.
Whether these services should be covered by HIPAA clearly is an major issue. It's also is important to understand that HIPAA itself is changing. Indeed, just being HIPAA-compliant doesn't seem to be a panacea for online security of medical data. SC Magazine reports that Rebecca Herold, an editor with Realtime IT Compliance Community, says the regulatory oversight of HIPAA by the Department of Health and Human Services has been "underwhelming," with the number of privacy-rules complaints increasing annually. There have been more than 32,000 complaints during the past five years, and about 6,500 still are outstanding.
HIPAA fulfillment is not a black-and-white issue. This interesting article at AIS Health discusses a case in which a hospital patient on parole for a drug offense tested positive in a drug test. The piece deals with the latitude under HIPAA that the hospital has in reporting the patient to his parole officer. In this case, the man was reported. The story offers varying opinions on whether this was proper. In any case, the subtext of the story is that a clear policy is needed for treatment of information covered under HIPAA.
There are a number of interrelated issues at play: Is Google Heath secure? Should it be covered by HIPAA? Is HIPAA itself adequate, and how is it evolving? With huge amounts of medical data being generated and hackers scrambling to access it, strategies for protecting this data must be continually perfected, under the HIPAA umbrella or not.