Does HITECH have teeth? Google may not think so

I was astounded today to read in Modern Healthcare (the fact that I apparently was blacklisted from writing there for reasons never explained to me makes me reluctant to link to the story) that Google says the new privacy and security rules won’t change its PHR plans.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted last month as Title XIII of the American Recovery and Reinvestment Act of 2009, strengthens much of the privacy and security language of HIPAA. Some of the language effectively gives business associates the same responsibilities as covered entities when it comes to protecting patient data. Section 13408 specifically includes personal health records.

Reporter Joe Conn, my former boss and an all-round good guy (rare at MHC these days), quotes Google Health Product Manager Roni Zeiger, M.D., as saying the new legislation has no effect on the company’s offering. Zeiger actually said that Google Health, as a service offered directly to consumers, is neither a covered entity nor a business associate under the new law.

Excuse me? I’ve been struck since Day 1 with the arrogance Google seems to be exhibiting with its entry into healthcare (actually, since before Day 1, since Google says CEO Eric Schmidt’s speech to the 2008 HIMSS conference was not technically a product introduction), but it seems to me Zeiger is intimating that the law doesn’t apply to Google.

This is almost as ludicrous as former Vice President Dick Cheney suggesting in 2007 that he was a fourth branch of government.