[dragonwriter]

> Does anybody enforce this or do we just take Google at their word?

Yes, the DHHS Office of Civil Rights enforces HIPAA Privacy and Security rules. That enforcement is reactive of there is no independent regular compliance certification or monitoring required, however, which is a weakness, but the fact that detection of violation can lead to personal as well as institutional penalties, and that those penalties are criminal as well as civil, means it's not a risk that decision-makers tend to be willing to take on just because it would (so long as undetected) provide a business opportunity.

[OnlineGladiator]

Thank you. So this department has the authority and capability to ensure (to a reasonable degree) that Google does not abuse this data?

[dragonwriter]

They have the job of doing so for the whole healthcare industry; and certainly have the authority. Capability is a question I'm less comfortable answering, but I would say that I see no evidence that they have a Google-specific problem in that regard. There is definitely a lot that could be done to improve enforcement capacity in the health data privacy and security space, and that's definitely something that should be pursued independently of whether some firms choose Google as BA.