What would you do if you discovered a company you never heard of had access to your medical records? Well, if you were at the Googleplex up all night coding, you might be furiously tweeting and calling everyone on the Google Health team you can think of saying WTF. Second, you would listen to the voice at the next laptop over saying DON'T PANIC because there has to be a good explanation.
And there is, sort of.
Turns out, the system wasn't hacked, nothing was stolen, but this is still a big issue. According to HIPAA standards you must explicitly give people access to your records for a limited amount of time. You must "opt in" to every application. There's this one application, which operates on an "opt out" basis. So you install an iPhone app, sign in to your GHealth account, and voila! Your records are linked to an affiliated web application you did not install.
Bad, bad, bad.
This is exactly the fear expressed when PHRs first came on the scene, and it didn't help when Google adds to their sales pitch that btw, since we're not a healthcare organization we're not really bound by HIPAA.
Technically this is not a violation by GH, but they could make some simple changes to force explicit permission for any account linking. Allowing this implicint linking is just not acceptable. The good news is they are working on a fix.
I have plenty of complaints about GH but... BUT... they are the ONLY PHR which has a public API to encourage and foster innovation, so I'm grateful for that. Everyone working on PHR applictions in the open-source community is grateful, and face it, PHRs are so new, we need all the crowdsourcing we can get. Upcoming FOSS applications like ChiefMedicalOfficer, Health Wave, and Patient Aware Wave demoed this past weekend are proof of the value in that.
Google has been, and continues to be very responsive to the developer community. That's good news on the Don't Be Evil front.