Google’s work to help Ascension, the nation’s largest nonprofit health system, collect and analyze data on millions of patients is coming under intense scrutiny from lawmakers, privacy advocates and regulators.
The project received little attention until a Wall Street Journal report on Monday that noted the initiative may already have health data on millions of Americans and that patients had not been notified.
The two companies have insisted they have safeguards to protect the data and patients’ privacy, but lawmakers and consumer advocates pounced on the news.
“That a health care provider could be furnishing sensitive health data, directly tied to patient names and dates of birth and without the knowledge or consent of doctors or patients, to Google should be deeply unsettling,” Sen. Mark Warner (D-Va.), a vocal tech industry critic, told The Hill in a statement.
The report said the data included doctors’ diagnoses, medical records and medical test results along with names and other vital statistics, and that some Google employees may have had access to the data. And the quantity of the data — Ascension, a Catholic health system, operates more than 2,600 care centers and has millions of patients — added to the concerns.
The report also comes as Google is already facing investigations and criticisms over its practices from privacy to competition. And The Wall Street Journal reported late Tuesday night that the health project has sparked a new federal inquiry. The Office for Civil Rights in the Department of Health and Human Services will investigate whether the project “fully implemented” HIPPA protections, a reference to the Health Insurance Portability and Accountability Act and its rules on handling health care data.
After the Journal detailed the partnership, the two companies quickly sought to quell any potential firestorm over the project, code-named “Nightingale,” saying that it was intended to help Ascension manage data to improve care and was compliant with health privacy laws already on the books. The companies said the move would improve communication among health providers and tap Google’s artificial intelligence programs to improve services for patients.
In a press release posted hours after the Journal report, Google said Ascension was using Google’s cloud services to “securely manage their patient data, under strict privacy and security standards,” including HIPAA.
“As the healthcare environment continues to rapidly evolve, we must transform to better meet the needs and expectations of those we serve as well as our own caregivers and healthcare providers,” said Eduardo Conrado, an executive vice president at Ascension.
And the president of Google Cloud, Tariq Shaukat, defended the project: “By working in partnership with leading healthcare systems like Ascension, we hope to transform the delivery of healthcare through the power of the cloud, data analytics, machine learning, and modern productivity tools—ultimately improving outcomes, reducing costs, and saving lives.”
Experts who spoke to The Hill agreed that the Google-Ascension partnership does not violate HIPAA, the 1996 rule that regulates health data privacy.
“There are many areas in which the HIPAA privacy rules give the covered entities wide leeway to use information,” Mark Rothstein, a public health law scholar at the University of Louisville, said.
Google’s cloud services could be interpreted as “quality improvement,” one of HIPAA’s permitted uses for business associates, he explained.
“Within the letter of the law it appears to be meeting all of HIPAA requirements,” said Margaret Riley, a law professor at the University of Virginia who focuses on health law.
But those statements are unlikely to address the concerns of Google’s critics.
Warner said that Google has faced questions over its privacy practices in the past and suggested that the Department of Health and Human Services place a “moratorium on permissive data sharing arrangements for any company already under a consent decree agreement for serious privacy and security violations.”
The Hill reached out to Google for comment. Ascension directed The Hill to Monday’s press release.
The move comes as the tech industry increasingly is moving into the health care space.
Earlier this month, Google also announced plans to purchase health wearables maker Fitbit, a move that could invite an antitrust review.
The Ascension work is likely to increase pressure on Congress to modernize health data protections for the digital age.
Sens. Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska) in June introduced the Protecting Personal Health Data Act, which give consumers more control over their health data.
“This collaboration isn’t the only one that raises serious privacy concerns,” Klobuchar, who is running for president, told The Hill in a statement about Google’s work. She also cited concerns with technology like smartwatches and home DNA kits that also collect personal data.
“Congress should enact legislation I introduced with Senator Murkowski, the Protecting Personal Health Data Act, that would require the Department of Health and Human Services to work with the Federal Trade Commission and issue meaningful regulations that protect private health data not covered under existing privacy law,” Klobuchar added.
The House is also considering new health data policy rules, and a House Energy and Commerce Committee spokesperson said that “meaningful protections and consumer control for health data not covered by HIPAA” will be included in upcoming comprehensive privacy legislation.
Much of the criticism, though, has centered on Google, with privacy advocates skeptical of the company’s promises.
Some critics worry that the tech giant will invariably use the data from Ascension for other, non-health related purposes.
“Health care data is very personal, and Google doesn’t have a track record to protect [it],” said Daniel Hanley, a policy analyst at the Open Markets Institute, a think tank critical of Silicon Valley. “They’ve already shown that they’re going to integrate their data … that’s the core of their business model.”
Others also raised questions about what they saw as secrecy around the project. The work was little noticed before Monday’s report outside of a brief mention in a second-quarter Google earnings call.
Ray D’Onofrio, a principal data architect at the digital tech consultancy SPR, said that secrecy added to the scrutiny.
“When Haven was announced,” he said, referencing a health care project founded by Amazon, Berkshire Hathaway and JPMorgan Chase, “why didn’t people like freak out over that?
“I think this was a lot more about how it was done and who did it.”