Google Health

Google Health Developer Policies

Last modified: September 2, 2010 (view archived version)

DATA USE POLICY

The Google Health APIs enable institutions to send access and copy health information from users’ Google Health profiles after permission has been granted. Google takes the privacy of its users’ data very seriously, and all institutions wishing to connect to Google Health must abide by the policies outlined below, as well as applicable law.

If your institution desires to retrieve health information from a Google Health profile, in addition to meeting the above conditions you must:

  • Only share Google Health user data with additional parties with explicit opt-in consent from the user, or in the following limited circumstances:
    • When provided to your subsidiaries, affiliated companies, subcontractors, or agents for the purpose of processing personal information on your behalf, and only if you require that these parties agree to process such information based on your instructions and in compliance with your privacy policy and any other appropriate confidentiality and security measures (e.g., a security vendor for purposes of evaluating the security of your systems, or a backup storage service for the purposes of storing backup data on your behalf only).
    • You have a good faith belief that access, use, preservation, or disclosure of such information is reasonably necessary to (a.) satisfy any applicable law, regulation, legal process, or enforceable governmental request, (b.) enforce applicable terms of service, including investigation of potential violations thereof, (c.) detect, prevent, or otherwise address fraud, security, or technical issues, or (d.) protect against imminent harm to the rights, property, or safety of your users or the public as required or permitted by law.
  • If any of the user's data will be used for targeted advertising or research purposes, the user’s consent is required.
  • Require users to agree with your privacy policy and only use Google Health user data for the purposes disclosed in your privacy policy. Also, you must notify both Google and your users of any changes in your privacy policy at least 30 days in advance.
  • Obtain consent prior to implementing material changes. Institutions are prohibited from using any user data for purposes that the user did not already consent to. Should your institution come up with a new application or use for any user data, the user’s opt-in consent must be obtained before using the data in that manner.

An institution retrieving health information from a Google Health profile must not:

  • Sell user data to a third party, whether personally identifiable or in aggregate form.

Please note that if you are subject to the Health Insurance Portability and Accountability Act (HIPAA), either as a covered entity or a business associate, your institution must comply with all of the HIPAA requirements, and the requirements of HIPAA rather than requirements of this section ("Data Use Policy") will apply to your institution. If permitted by law, you must notify us if your organization becomes the subject of a HIPAA criminal investigation or has been assessed a civil penalty under HIPAA.

UI GUIDELINES

If your institution desires to send or retrieve health information from a Google Health profile, you must:

  • Maintain easily accessible and readable Terms & Conditions and contact information.
  • Maintain an easily accessible and readable privacy policy.
    • Your privacy policy should be designed to be read and understood by the typical user.
    • The policy must contain any and all disclosures required by law, including but not limited to:
      • What data you collect and how it is stored on your servers.
      • Whether and how you are sharing data with third parties.
      • In what form data is being shared with third parties (anonymous, semi-anonymous, etc.).
      • How you are using Google Health user data (including whether or not it will be used for advertising purposes).
      • If you are a HIPAA covered entity, you may comply with this policy by complying with HIPAA’s privacy notice requirements.
  • Comply with the Google Software Principles

An institution sending or retrieving data to a Google Health profile must not:

  • Share your private certificate or a Google Health user's AuthSub or OAuth token with any third party.
  • Advertise on Google Health.

During the account creation process, you must clearly inform the user if any of the user's data will be used for targeted advertising or research purposes.

The landing page (the target of the "Link to Profile" button) must:

  • Prominently show the name of your institution or application (which must match the name shown in Google Health).
  • Show the official Google Health logo.
  • Describe the integration and highlight its benefits.
  • Have a link to your Terms & Conditions.
  • Have a link to your privacy policy (which must match the link shown within the long description on the Google Health services page).
  • Have a link to go back to Google Health; the text for the link should read "Go back to Google Health" and the link should be equivalent to the browser's "back" button.
  • Have a single prominent link to either begin the registration process for your service, or commence linking with Google Health.
  • Not have teasers or ads for other services.

Your service must also have a clearly visible link called "Unlink from Google Health" that allows users to unlink your website from their Google Health profiles. You must also allow users to re-link registered accounts to their Google Health profiles. If your institution reads from Google Health profiles, it must either automatically retrieve the latest data from the profiles upon login, or allow the user to initiate another read to retrieve any updates to the Google Health profile.

You must allow Google to actively test your integration by providing at least two test accounts prior to launch, and must maintain them as long as the integration is live. Test accounts must be pre-populated with a variety of data, and have regular updates of synthetic data. Specific data attributes may be requested by the Google Health Team.

DATA SECURITY

If your entity is covered by HIPAA or is a business associate of a HIPAA-covered entity, you must comply with the HIPAA security rule. For other entities, you must use generally adopted industry web security standards for controlling access to your servers and user accounts. We suggest reviewing the HIPAA security rule for a good list of issues to consider when designing your security infrastructure. While not all the items in the rule will apply to all companies, most of the items they discuss are good security principles for any web service that holds user data. In addition, (whether you are covered by HIPAA or not) you must comply with all technical specifications provided in the Google Health API documentation, and you must notify Google if you experience a breach or misuse of information which includes any data from Google Health, including any breach in connection with transmission of data to Google Health.

NOTICES

Google Health gives integrated institutions the opportunity to provide notices to users. To ensure a positive user experience, you must abide by these guidelines:

  • Notices must be informational and not promotional.*
  • Links in notices must open in a new window or provide a working back button.

* Definition of promotional: Promotional materials are any materials that promote a product or service - such as encouraging the user to purchase or "ask their doctor" about a specific item. This includes coupons and sale announcements, as well as drug advertisements.

INTEGRATION APPROVAL

Any proposed integration with Google Health must first be reviewed and approved by the Google Health team per all policies described in this document. You will also be required to agree to the Terms of Service.

To submit your health data provider integration for review, please fill out this form. To submit your third-party service integration for review, please fill out this form.

ONLINE PHARMACY QUALIFICATION PROCESS

Online pharmacies will be permitted to integrate with Google Health only after completing Google's online pharmacy qualification process. The requirements are the same as those of online pharmacies utilizing Google AdWords.

BRANDING GUIDELINES FOR GOOGLE HEALTH INTEGRATIONS

Guidelines for how to promote or describe your integration:

By listing yourself as a Google Health integrated service, Google does not endorse or otherwise affiliate itself with your website or institution. You may not display the Google Health logo or descriptive web copy in a way that implies such an endorsement. Your website or institution should only display the Google Health logo or descriptive web copy to emphasize a technical integration.

In describing your service, refrain from using the words "joint developer".

Google Health Logo Use and Guidelines:

If you've successfully integrated with Google Health and remain in good standing, please display the Google Health logo on your service. This logo informs prospective users that you are integrated with Google Health. You may not alter the size, shape, color, or any other aspect of the Google Health logo provided by Google. Any use of the Google Health product name, logo, or associated imagery not explicitly authorized in this section is strictly prohibited.

The logo must:

  • Be clearly legible and visible so that it stands out against the background.
  • Remain in its natural horizontal state, and not be rotated.
  • Not be the first or largest logo on the page. The Google Health logo should not be larger than your own logo.

Placement of Google Health logo on your service:

The following are the areas on your service where you can use the Google Health Logo:

  • Sign-in pages used during the Google Health linking process.
  • Pages used for linking and unlinking to Google Health.
  • Pages used for updating Google Health settings. (e.g., Token Status, Last Send Date, etc)
  • Any notices or messages that your website displays related to Google Health.
  • Product description or overview pages for services that integrate with Google Health.
  • Next to a promotional item showcasing Google Health integration on your corporate homepage.

Use of the Google Health trademark:

Treat the phrase “Google Health” as you would a logo, following these simple guidelines: Review Google's Trademark Guidelines for information on using Google's trademarks.

  • Don’t use it as a verb or adjective.
  • Don’t translate it into a language other than English.
  • Don’t modify it through hyphenation, combination, or abbreviation.
  • Don’t shorten or abbreviate it, or turn it into an acronym.

Trademarks are important business assets that decrease in value when used incorrectly. When creating your integrated service, keep in mind that you are fully responsible for your service's content and for adhering to our Terms and Conditions, which prohibit intellectual property infringement.

For more information on branding and trademarks, see Google's Corporate Branding Guidelines.

Screenshots:

You may not capture or reproduce Google Health screenshots and list them on your service without written approval from Google.

Guidelines around reproducing the Google Health logo and copy in sales materials:

You may not reproduce the Google Health logo or describe the service and use the Google trademark name in any sales materials or marketing collateral without written permission from Google first. Any inclusion of the Google Health logo in your marketing materials must be approved in advance in writing by Google. This includes online and offline advertising and collateral, such as case studies, client and referral lists, sales presentations, print, broadcast, outdoor or online ads, product demos, signage, and trade show booths.

Google Health will occasionally highlight certain integrations in our own online and offline marketing materials. Integrations that are promoted in this way will not receive any form of preferential treatment in the actual Google Health listings or our search results.

Guidelines for Press Releases:

Google generally does not issue releases to announce integrations. Any institution wishing to issue a press release that refers to Google or Google Health by name must get prior approval in writing from Google's health team staff and public relations department.

For more information on promotions, see Google's Corporate Branding Guidelines.

Please note that we reserve the right to disapprove any listing for any reason and to modify or amend our policies at any time. If we amend this policy, you have 90 days to bring yourself into compliance with the new policy.

September 2, 2010

©2010 Google - Help Center - Google Health Privacy Policy - Terms of Service - Google Home