Privacy Analysis: Google Accesses Patient Data on MillionsMassive Research Project With Ascension Health System Raises Concerns
This article has been updated
A newly disclosed collaboration between Google and the massive Ascension healthcare system that the partners say is designed to improve patient care is raising serious privacy concerns. That’s because the project involves Ascension sharing with Google data on millions of its patients – without their permission.
Google contends that the data sharing is HIPAA compliant. But some observers question the ethics of the arrangement.
“This reaches into the region where bio-ethics and the lack of techno-ethics collide. This should be alarming to Ascension clients,” says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C.
”In my opinion … Google does not have a history of respecting privacy rights … and it is shocking that Ascension would do business with an entity that has a questionable - at best - historical reputation for respecting individuals privacy.”
Meanwhile, federal regulators are also already scrutinizing the Google/Ascension arrangement for compliance with HIPAA.
In a statement Wednesday to Information Security Media Group, the Department of Health and Human Services' Office for Civil Rights Director Roger Severino says, "OCR would like to learn more information about this mass collection of individuals’ medical records with respect to the implications for patient privacy under HIPAA."
St. Louis-based Ascension is a Catholic health system with more than 2,600 care facilities, including 150 hospitals.
Under the alliance, Ascension is migrating its on-premises data warehouse and analytics infrastructure to a Google cloud environment; using Google G productivity tools for Ascension employees to communicate and collaborate in real time; and implementing Google’s artificial intelligence and machine learning technologies to support improvements in clinical quality and patient safety.
As part of that arrangement, Ascension is providing Google access to the health information of millions of its patients in 20 states and the District of Columbia, according to a report Monday in the Wall Street Journal.
Among the patient data Ascension is sharing with about 150 Google employees in a project dubbed “Nightingale” is patient names, lab results, diagnoses, hospitalization records, health histories and date of birth, the Wall Street Journal reports. Neither patients nor physicians were informed that Google was collecting the data, according to the newspaper.
”Some of the solutions we are working on with Ascension are not yet in active clinical deployment, but rather are in early testing,” wrote Tariq Shaukat, president of industry products and solutions at Google Cloud in a blog Monday about the partnership. “This is one of the reasons we used a code name for the work - in this case, ‘Nightingale’.”
Meanwhile, on Tuesday, The Guardian reported that a whistleblower who works on the Nightingale project says that by the time the data transfer between Ascension and Google is completed next March, it will have passed the personal data of 50 million patients to Google.
In a statement Monday, Ascension said its work with Google will “optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.”
That includes using technology to improve consumer engagement and “arming caregivers with insights that allow them to better predict and manage patient needs,” Ascension says.
The arrangement will also improve “the efficiency of Ascension’s technology operations so that resources can be shifted from running isolated solutions to innovating within integrated platforms,” the health system says.
Ascension is modernizing its infrastructure by transitioning “to the secure, reliable and intelligent Google cloud platform,” the healthcare provider says in its statement. “Key elements of this work will focus on network and system connectivity, data integration, privacy and security, and compliance.”
Ascension says it’s transitioning to Google’s G Suite productivity and collaboration tools in an effort to “enhance Ascension associates’ ability to communicate and collaborate securely in real time, supporting interdisciplinary care and operations teams across Ascension sites of care.”
In addition, Ascension is working with Google on artificial intelligence and machine learning applications “that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction,” the healthcare provider says.
All the work related to Ascension’s engagement with Google “is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling,” Shaukat wrote in his blog.
”We have a business associate agreement with Ascension, which governs access to protected health information for the purpose of helping providers support patient care,” Shaukat wrote.
”To be clear, under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.”
While Google is working with other large healthcare sector entities, including Cleveland Clinic and McKesson in cloud related initiatives – and competitors such as Amazon, Microsoft and Apple are also expanding their efforts in the healthcare arena - the deal between Google and Ascension appears to be the most extensive to date, according to the Wall Street Journal.
Meanwhile, a class action lawsuit filed earlier this year in an Illinois federal court against Google and the University of Chicago Medical Center alleges patients' electronic health records were not properly de-identified by the hospital before they were shared with Google to support the company's predictive medical data analytics technology development efforts.
“What does the agreement between Ascension and Google permit Google to do - or more likely, restrict, if at all?”
—Steven Teppler, Mandelbaum Salsburg P.C.
Anytime health information is shared with a third party, there is always some security and privacy risks, notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
“But this risk must be weighed against the potential benefits, and the parties need to put appropriate safeguards in place,” he says.
”The use of the cloud services creates a different set of risks, but, when configured properly, I expect leads to better security than if the information were kept locally at the healthcare provider.”
Undermining Patient Privacy?
Some other privacy experts say the Ascension/Google arrangement – even if it complies with HIPAA - will ultimately undermine patient privacy.
Psychoanalyst Deborah Peel, M.D., founder and president of privacy advocacy group Patient Privacy Rights, says the details emerging about the arrangement between Google and Ascension is “the biggest privacy story of all.”
Peel has long warned about patients losing control over who has access to their sensitive heath data.
”HIPAA stripped Americans of any control over their medical records in 2002,” she tells ISMG. The HIPAA Privacy Rule originally included a “right of consent” provision in 2001 which was replaced in 2002 by a provision “providing regulatory permission for covered entities to use and disclose protected health information for treatment, payment and healthcare operations," she notes.
”Any corporation can claim to need health data for ‘treatment, payment, or healthcare operations,” she says. “I founded Patient Privacy Rights in 2004 because Congress and the U.S. health industry lobby enabled any corporation to control, aggregate and sell the nation's health data.”
But Greene says it’s impractical to give patients the opportunity to opt out of having their healthcare provider share data with business associates, such as Google.
Healthcare providers have hundreds, sometimes thousands, of business associates assisting with a range of services, with analytics and artificial intelligence now included,” Greene says. “I don’t think it is realistic to notify patients of each business associate by name and offer each patient an opportunity to opt out of the use of their information to improve healthcare at the provider.”
Teppler says he wonders what kind of analytics Google is allowed to run on Ascension’s patient data for its own purposes. “What does the agreement between Ascension and Google permit Google to do - or more likely, restrict, if at all?” he asks.
”Certainly, one of the services that Google can provide is de-identification services. Under HIPAA, companies - business associates like Google - are not allowed to de-identify for their own purposes, and can de-identify only for healthcare operations. Once PHI is de-identified, however, it’s no longer considered PHI,” he says.
”After de-identification, Google can use it for whatever is permitted by Ascension - and the details of the agreement with Ascension and Google have not been disclosed to my knowledge.”
The arrangement between Google and Ascensions prompts many privacy-related questions, he adds. “What, if any, use restriction are placed on Google by Ascension post-de-identification? Has Google reserved rights to contact patients directly?
”Most alarming, perhaps is that Google’s own vast reserves of information on hundreds of millions of users will permit it to re-identify, or near-re-identify through the backdoor, permitting near individualized targeted marketing,” Teppler contends.
Neither Ascension nor Google immediately responded to requests by ISMG for additional details about the arrangement, including provisions being put into place for the security and privacy of patient data.