It is individually identifiable for the milliseconds it takes the software to link your email address (and thus, your identity) and that word to a product and authorize the sending of the targeted ad. That may be legally sufficient to trigger HIPPA (and other statutory) penalties, but we won't know for sure until after all the legal proceeding shave ended.I'm going based on the wording presented. "(2) obtains individually identifiable health information relating to an individual;" Without context, a lone word (like "catheter") does not comprise health information. Without metadata about who used the word, it is not individually identifiable.
And "individually" has been broadly construed in the past.
If you were in a doctor's office asking for a catheter for an ailing relative, and a 3rd party catheter salesman overhears that and sends you info on his company's catheters, the violation is still there. You're acting as an agent for this relative, so you are under that person's umbrella of privacy. Even though the commercial speech was misdirected to you- the agent- and he actual patient was not actually identified, the breach of the patient's privacy has occurred, and the catheter salesman could be slapped with a HIPPA penalty.
(Note- if you were acting as a oateint's agent and directly queried the salesman, there would be no violation.)
Google advertisers do not use their own infrastructure. The advertiser submits an image and link to Google, along with information about when the ad should be shown. This is stored by Google, and the ad is served up from Google's servers. At the end of the month, the advertiser receives a report about impressions. Google does not send a query to the advertiser's computers. That would be slow, and would fail if that company's servers were down. If Google did do this, it would be anonymized ("I want an image for case #3"), which Google would then insert into the page for them. The advertiser does *not* get a direct link to you.
Sorry I was a bit unclear- I don't think the advertisers themselves will be found liable, precisely for the reasons you state. When I said "in concert" I didn't mean that the advertisers' software or employees had any access to the triggering data, just that this is a commercial exercise by Google & the advertisers that falls well outside of the permissible use of private data.
I expect their lawyers have been over that with a fine-toothed comb
True, but until there is a lawsuit before a judge (and possibly, a jury*) and/or actual case law on point, its just considered opinions.
Many a legal scholar has been surprised by the final outcome of a case.
Well, for one thing, if you haven't deleted the e-mail, the word is still there! If you deleted it less than 30 days ago, it may still be sitting in your trash, still not completely deleted.
Beyond that, for search criteria and page visits, I think the standard way is through browser cookies. I don't know if Google sets browser cookies based on e-mail content. So, there's a file on your own machine that says, in essence, "Keyword X got mentioned". When it needs to, Google asks your machine what keywords got mentioned in this browser, and your browser tells Google. The transaction is still between you and Google. In the basic case, it doesn't connect that keyword to you, personally, only to the browser.
I'm thinking specifically of politically themed adverising I receive almost daily, and the only political emails I had were sent to me (not by me) and were quickly deleted...some without reading them. (I know the sender.)
This has been going on the better part of 2 years.