Google Health

Google Health Integration Policies

DATA USE POLICY

The Google Health APIs enable institutions to send and access health information from users’ Google Health profiles after permission has been granted. Google takes the privacy of its users’ data very seriously, and all institutions wishing to connect to Google Health must abide by the policies outlined below, as well as applicable law.

If your institution desires to send or retrieve health information from a Google Health profile, you must:

  • Maintain a privacy policy that is easily accessible on your landing page. Your privacy policy should be designed to be read and understood by the typical user. The policy must contain any and all disclosures required by law, including but not limited to:
    • What data you collect and how it is stored on your servers.
    • Whether and how you are sharing data with third parties.
    • In what form data is being shared with third parties (anonymous, semi-anonymous, etc).
    • How you are using Google Health user data (including whether or not it will be used for advertising purposes).
  • Only share Google Health user data with additional parties with explicit opt-in consent from the user, or in the following limited circumstances:
    • When provided to your subsidiaries, affiliated companies, subcontractors, or agents for the purpose of processing personal information on your behalf, and only if you require that these parties agree to process such information based on your instructions and in compliance with your privacy policy and any other appropriate confidentiality and security measures (e.g., a security vendor for purposes of evaluating the security of your systems, or a backup storage service for the purposes of storing backup data on your behalf only).
    • You have a good faith belief that access, use, preservation, or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process, or enforceable governmental request, (b) enforce applicable terms of service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security, or technical issues, or (d) protect against imminent harm to the rights, property, or safety of your users or the public as required or permitted by law.
  • Clearly inform the user during the account creation process if profile information will be used for targeted advertising or research purposes. If so, the user’s consent is required.
  • Allow users to permanently delete and purge the data derived from their Google Health profiles; backup copies may exist for a short time.
  • Require users to agree with your privacy policy and only use Google Health user data for the purposes disclosed in your privacy policy. Also, you must notify both Google and your users of any changes in your privacy policy at least 30 days in advance.
  • Obtain consent prior to implementing material changes. Institutions are prohibited from using any user data for purposes that the user did not already consent to. Should your institution come up with a new application or use for any user data, the user’s opt-in consent must be obtained before using the data in that manner.
  • Provide a way for users to unlink to their Google Health profile.
  • Clearly label all advertising.
  • Have easily accessible and readable Terms & Conditions and contact information.
  • Notify Google if you experience a breach or misuse of information.
  • Comply with the Google Software Principles.

An institution must not:

  • Sell user data to a third party, whether personally identifiable or in aggregate form.
  • Share your private certificate or a Google Health user's AuthSub token with any third party.
  • Employ aggressive advertising tactics such as popups and popunders.

An institution intending to serve as a health data provider must be able to send personal health information into a user’s Google Health profile. If desired, you can allow users the option to export their Google Health information to your institution.

An institution intending to serve as a third-party service must offer a customized service relevant to the types of data that Google Health supports. You may not access a profile if it will not be directly used to provide such customized services.

Please note that if you are subject to the Health Insurance Portability and Accountability Act (HIPAA), either as a covered entity or a business associate, your institution must comply with all of the HIPAA requirements. To the extent that provisions of HIPAA that apply to your services are inconsistent with the above policies, the HIPAA requirements shall apply. If permitted by law, you must notify us if your organization becomes the subject of a HIPAA investigation.

UI GUIDELINES

The landing page (the target of the "Link to Profile" button) must:

  • Prominently show the name of your organization or application (which must match the name in the Google Health directory).
  • Show the official Google Health logo.
  • Describe the integration and highlight its benefits.
  • Have a link to your privacy policy (which must match the link that will be viewed within the long description on the Google Health services directory page).
  • Have a link to go back to Google Health; the text for the link should read "Go back to Google Health" and the link should be equivalent to the browser's "back" button.
  • Have a single prominent link to either begin the registration process for your website, or commence linking with Google Health.
  • Not have teasers or ads for other services (including ones offered by the company).

Your website must also have a clearly visible link called "Unlink from Google Health" that allows users to unlink your website from their Google Health profiles. You must also allow users to re-link registered accounts to their Google Health profiles.

If your institution reads from Google Health profiles, it must either automatically retrieve the latest data from the profiles, or automatically upon login, or allow the user to initiate another read to retrieve any updates to the Google Health profile.

DATA SECURITY

You must use generally adopted industry web security standards for controlling access to your servers and user accounts. We suggest reviewing the HIPAA security rule for a good list of issues to consider when designing your security infrastructure. While not all the items in the rule will apply to all companies, most of the items they discuss are good security principles for any web service that holds user data. In addition, you must comply with all technical specifications provided in the Google Health API documentation.

NOTICES

Google Health gives integrated institutions the opportunity to provide notices to users. To ensure a positive user experience, you must abide by these guidelines:

  • Promotional* notices must be clearly labeled as promotional.
  • Promotional notices may be sent a maximum of once per week per user and also give the user the option to opt-out of receiving such notices.
  • Links in notices must open in a new window or provide a working back button.

* Definition of promotional: Promotional materials are any materials that promote a product or service - such as encouraging the user to purchase or "ask their doctor" about a specific item. This includes coupons and sale announcements, as well as drug advertisements.

LISTINGS IN THE GOOGLE HEALTH DIRECTORY

The Google Health Directory lists integrations with Google Health that can provide users with either online access to their personal health information, or customized functionality based on their medical information relevant to Google Health. If you are an institution that wants to be included in the directory, your integration must first be reviewed and approved by the Google Health team per all policies described in this document. You will also be required to agree to the Terms of Service.

To submit your health data provider integration for review, please fill out this form.

To submit your third-party service integration for review, please fill out this form.

ONLINE PHARMACY QUALIFICATION PROCESS

Online pharmacies will be permitted in the Google Health Directory only after completing Google's online pharmacy qualification process: http://www.google.com/adwords/pharmacy_qualification.html

The requirements are the same as those of online pharmacies utilizing Google AdWords.

BRANDING GUIDELINES FOR GOOGLE HEALTH INTEGRATIONS

Guidelines for how to promote or describe your integration:

By listing yourself as a Google Health integrated service, Google does not endorse or otherwise affiliate itself with your website or institution. You may not display the Google Health logo or descriptive web copy in a way that implies such an endorsement. Your website or institution should only display the Google Health logo or descriptive web copy to emphasize a technical integration.

In describing your website, refrain from using words like "partner", "joint developer", or "platform or application provider". Instead, please refer to your institution as a Google Health data provider or Google Health integrated service (depending on which integration type was approved).

Google Health Logo Use and Guidelines:

If you've successfully integrated with Google Health and remain in good standing, please display the Google Health logo on your website. This logo informs prospective users that you are integrated with Google Health. You may not alter the size, shape, color, or any other aspect of the Google Health logo provided by Google. Any use of the Google Health product name, logo, or associated imagery not explicitly authorized in this section is strictly prohibited.

The logo must:

  • Be clearly legible and visible so that it stands out against the background.
  • Remain in its natural horizontal state, and not be rotated.
  • Not be the first or largest logo on the page. The Google Health logo should not be larger then your own logo.

Placement of Google Health logo on your website:

These following are the areas on your website where you can use the Google Health Logo:

  • Sign-in pages used during the Google Health linking process.
  • Pages used for linking and unlinking to Google Health.
  • Pages used for updating Google Health settings. (e.g. Token Status, Last Send Date, etc)
  • Any notices or messages that your website displays related to Google Health.
  • Product description or overview pages for services that integrate with Google Health.
  • Next to a promotional item showcasing Google Health integration on your corporate homepage.

Use of the Google Health trademark:

Treat the phrase “Google Health” as you would a logo, following these simple guidelines:

  • Review Google's Trademark Guidelines for information on using Google's trademarks.
  • Don’t use it as a verb, adjective, or noun.
  • Don’t translate it into any language other than English.
  • Don’t modify it through hyphenation, combination, or abbreviation.
  • Don’t shorten or abbreviate it, or turn it into an acronym.

Trademarks are important business assets that decrease in value when used incorrectly. When creating your integrated service, keep in mind that you are fully responsible for your website’s content and for adhering to our Terms and Conditions, which prohibit intellectual property infringement.

For more information on branding and trademarks, see Google's corporate Branding Guidelines at http://www.google.com/permissions/guidelines.html.

Screenshots:

You may not capture or reproduce Google Health screenshots and list them on your website without written approval from Google.

Guidelines around reproducing the Google Health logo and copy in sales materials:

You may not reproduce the Google Health logo or describe the service and use the Google trademark name in any sales materials or marketing collateral without written permission from Google first. Any inclusion of the Google Health logo in your marketing materials must be approved in advance in writing by Google. This includes online and offline advertising and collateral, such as case studies, client and referral lists, sales presentations, print, broadcast, outdoor or online ads, product demos, signage, trade show booths.

Google Health will occasionally highlight certain integrations in our own online and offline marketing materials. Integrations that are promoted in this way will not receive any form of preferential treatment in the actual Google Health Directory or our search results.

Guidelines for Press Releases:

Google generally does not issue releases to announce integrations. Any institution wishing to issue a press release that refers to Google or Google Health by name must get prior approval in writing from Google's health team staff and public relations department.

For more information on promotions, see Google's branding guidelines at http://www.google.com/permissions/.

Please note that we reserve the right to disapprove any listing for any reason and to modify or amend our policies at any time.

March 19, 2009

©2009 Google - Help Center - Google Health Privacy Policy - Terms of Service - Google Home