HIPAA data breaches can occur if ePHI (electronic protected health information) is posted on an open web site. In that situation, not only is the ePHI available for viewing, it also can be indexed by an Internet search engine such as Google. Many data breaches have been uncovered by finding the unauthorized ePHI via a Google search. As an example, we know of patients that have found their own ePHI by searching for their name, finding the posted ePHI and lodging a complaint with HHS/OCR. These complaints have resulted in investigations.
In the past, removing these search results from Google has been difficult. That has now changed. Last week, Google made a change to its removal policy. The Removal Policy describes certain types of sensitive information that can be excluded from Google Search results. Examples include information such as Social Security numbers and Bank Account numbers. Now the removal policy page also includes “Confidential, personal medical records of private people”
Does Google remove this information automatically? No. According to a Bloomberg Technology article a Google spokesman said “that such information is only pulled when the company gets specific requests from individuals”. Google does not know if ePHI is posted with or without consent. But now it is making it easier to get such information removed from search results.
Does this mean if ePHI removed from a Google search result that it is no longer a data breach? No. It is still a data breach, for several reasons. First, the information may still be on a website, and the source website needs to remove the information. Second, the information only comes off Google search results after an individual knows about it and makes a removal request. Finally, even if all the information is removed from the web and search results, it still was available for a period of time, and that is a breach by itself.
This is, however, a good step forward towards protecting ePHI as search results are not memorialized forever on a Google search.