Google’s work to help Ascension, the nation’s largest nonprofit health system, collect and analyze data on millions of patients is coming under intense scrutiny from lawmakers, privacy advocates and regulators.
The project received little attention until a Wall Street Journal report on Monday that noted the initiative may already have health data on millions of Americans and that patients had not been notified.
The two companies have insisted they have safeguards to protect the data and patients’ privacy, but lawmakers and consumer advocates pounced on the news.
“That a health care provider could be furnishing sensitive health data, directly tied to patient names and dates of birth and without the knowledge or consent of doctors or patients, to Google should be deeply unsettling,” Sen. Mark Warner (D-Va.), a vocal tech industry critic, told The Hill in a statement.
The report said the data included doctors’ diagnoses, medical records and medical test results along with names and other vital statistics, and that some Google employees may have had access to the data. And the quantity of the data — Ascension, a Catholic health system, operates more than 2,600 care centers and has millions of patients — added to the concerns.
The report also comes as Google is already facing investigations and criticisms over its practices from privacy to competition. And The Wall Street Journal reported late Tuesday night that the health project has sparked a new federal inquiry. The Office for Civil Rights in the Department of Health and Human Services will investigate whether the project “fully implemented” HIPPA protections, a reference to the Health Insurance Portability and Accountability Act and its rules on handling health care data.
After the Journal detailed the partnership, the two companies quickly sought to quell any potential firestorm over the project, code-named “Nightingale,” saying that it was intended to help Ascension manage data to improve care and was compliant with health privacy laws already on the books. The companies said the move would improve communication among health providers and tap Google’s artificial intelligence programs to improve services for patients.
In a press release posted hours after the Journal report, Google said Ascension was using Google’s cloud services to “securely manage their patient data, under strict privacy and security standards,” including HIPAA.
“As the healthcare environment continues to rapidly evolve, we must transform to better meet the needs and expectations of those we serve as well as our own caregivers and healthcare providers,” said Eduardo Conrado, an executive vice president at Ascension.
And the president of Google Cloud, Tariq Shaukat, defended the project: “By working in partnership with leading healthcare systems like Ascension, we hope to transform the delivery of healthcare through the power of the cloud, data analytics, machine learning, and modern productivity tools—ultimately improving outcomes, reducing costs, and saving lives.”
Experts who spoke to The Hill agreed that the Google-Ascension partnership does not violate HIPAA, the 1996 rule that regulates health data privacy.
“There are many areas in which the HIPAA privacy rules give the covered entities wide leeway to use information,” Mark Rothstein, a public health law scholar at the University of Louisville, said.
Google’s cloud services could be interpreted as “quality improvement,” one of HIPAA’s permitted uses for business associates, he explained.