Project Manager Missy Krasner called the site "a proxy for the consumer." All data entry, and data delivery, will happen behind a https secure Web page, and will stay under the consumer's control. A secure token will be exchanged before any data is delivered from the site.
Under HIPAA, Krasner said, consumers do have the right to control their own health data, and give it to whom they will. Google's aim is to help consumers build a Personal Health Record (PHR), distinguished from the Electronic Medical Records (EMRs) controlled by doctors or hospitals.
"We have no plans to make this ad-supported," she said. "We will not sell the data." Instead Google hopes that increased Web usage will lead its users to ad-supported pages on their own. "This is a long-term approach. If you do that you can put the user first."
While Krasner said Google has many partners involved in Google Health, its sole partner in the next two months will be the Cleveland Clinic. Its customers will be able to download their records into Google Health profiles.
This data transfer will not be handled by Google. Instead users will be directed to the Cleveland Clinic site, which acts as a Business Associate of Google in this case. The Clinic is a "covered entity" under HIPAA, and Google will not store its data, nor distribute it. The consumer will get their data from the Clinic, then control it through Google.
Once the data is at Google Health it becomes the consumer's property, accessible only at their log-in through the secured site. It can be shared in whole or, most important, in part. "You can lock items within your profile," such as the use of anti-depressants. "You are told before anyone gets your data."
The tiny Google booth (it's more of a stand, really) was mobbed on the first day of HIMSS, and not just for the Google swag like pot holders, pens and big, tasty, free cookies. Krasner said the company wants to collect questions, and objections, to the service so it can be rolled-out as carefully as possible.
Right now fewer than 5% of consumers have PHRs, which means they lack any control over their health records. Linking the creation of PHRs to medical EMRs is designed to create network effects in which both consumers and professionals will get on-board with a trend policymakers insist must come about if health care is to improve.