Does anybody enforce this or do we just take Google at their word?
Can you fly under the radar and potentially get away with not doing it? Of course, anything is possible. Could a multibillion dollar internet organization beholden to shareholders and under public scrutiny get away with it? Not likely.
Can you provide a link to this requirement? The HIPAA/HITECH laws provide no requirements for an external audit (and self-audits aren't actually audits) and the HHS, as far as I know, only does small sample random audits unless a complaint was made.
EDIT: I guess I don't understand. Once we give Google the sensitive information, how do we have any way of knowing what they do with it? I'm guessing an audit on all of Google's data is out of the question.
While the Grauniad is trying to spin it to sound worse, the whole point is Google are providing data processing services to a valid HIPAA processor via Google Cloud, not that they nefariously bought the data to integrate it with the search results.
Much like health data stored on AWS with a dedicated internal project team could be accessed by "Amazon" staff. It's kinda the point, the google staff have been brought in to help manage the data.
I don't think that anyone is claiming they are intending to do this.
Yes, the DHHS Office of Civil Rights enforces HIPAA Privacy and Security rules. That enforcement is reactive of there is no independent regular compliance certification or monitoring required, however, which is a weakness, but the fact that detection of violation can lead to personal as well as institutional penalties, and that those penalties are criminal as well as civil, means it's not a risk that decision-makers tend to be willing to take on just because it would (so long as undetected) provide a business opportunity.
