Scrutiny of Google's Access to Patient Data IntensifiesCongress Demands Answers; Advocacy Group Raises Concerns
Ascension healthcare system's sharing of data with Google on millions of patients is drawing increased scrutiny from members of Congress as well as privacy advocates.
See Also: HIPAA Audits: A Revised Game Plan
On Nov. 11, Google and Ascension announced a partnership that they say is designed to improve patient care.
St. Louis-based Ascension, a Catholic health system with more than 2,600 care facilities, including 150 hospitals, is migrating its on-premises data warehouse and analytics infrastructure to a Google cloud environment; using Google G productivity tools for Ascension employees to communicate and collaborate in real time; and implementing Google's artificial intelligence and machine learning technologies to support improvements in clinical quality and patient safety.
As part of that arrangement, Ascension reportedly is providing Google access to the health information of 50 million patients in 20 states and the District of Columbia without their permission.
That data sharing project, dubbed "Nightingale," raised serious privacy concerns. While Google contends that the data sharing complies with HIPAA, some members of Congress and privacy advocates have questioned the ethics of the arrangement.
Latest Questions from Congress
Among the members of Congress who have recently raised concerns is Rep. Pramila Jayapal, D-Wash.
Jayapal sent a Dec. 6 letter to Google executives asking for responses by Jan. 5 to a series of questions about the organizations' practices involving the collection of health and medical data and procedures for protecting that information.
"There have been multiple incidents that cause me to have serious concerns about Google and Alphabet Inc.'s ability to properly safeguard sensitive health and medical information," wrote Jayapal, a member of the House judiciary subcommittee on antitrust, commercial and administrative law, in her letter.
Jayapal cited a Wall Street Journal report about an insider working on Project Nightingale who alleged that "personally identifiable healthcare data was being haphazardly transferred to Google without proper safeguards and security in place.'"
Last month, the House Energy and Commerce Committee also sent letters to Google and Ascension seeking answers about the organizations' health data sharing practices and steps being taken to protect that information.
Privacy Advocate's Concerns
Meanwhile, privacy advocacy group Citizens' Council for Health Freedom on Dec. 6 sent a letter to the Department of Health and Human Services' Office for Civil Rights voicing concerns about the Google/Ascension relationship and requesting that OCR put into place measures that the group says would help strengthen patient privacy protections.
"We believe the Ascension-Google contract is legal, as much as we wish it were not so," wrote CCFH president Twila Brase in the letter. "Both companies point to the 'healthcare operations' data-sharing provision of HIPAA. This provision is a nearly 400-word long list of at least 65 non-clinical business activities. In short, the provision is an open door to data sharing."
Under the HIPAA Privacy Rule, covered entities such as hospitals are permitted to disclose protected health information about an individual, without the individual's authorization, for treatment or payment purposes as well for certain healthcare business operations.
"The shocking disclosure that the Ascension healthcare system is sharing the medical records of 50 million people ... with Google shows clearly that HIPAA does not protect patient privacy, was never written to protect patient privacy, and has been used to deceive Americans into believing they have privacy rights when they have none," Brase wrote.
CCHF requests that OCR "restore informed, written, voluntary patient consent for the sharing and use of all patient data, identified or de-identified," Brase wrote. "Notably, this means opt-in consent, not opt-out dissent. OCR must also prohibit single-signature, bundled, consolidated consent forms that include consent for treatment and consent for data sharing and more in a single form."
OCR declined to comment on the status of the agency's investigation into the Google/Ascension data sharing collaboration.
In a Nov. 13 in a statement provided to ISMG, Roger Severino, OCR director, said: "OCR would like to learn more information about this mass collection of individuals' medical records with respect to the implications for patient privacy under HIPAA."
Neither Google nor Ascension immediately responded to ISMG's request for comment on the scrutiny of their collaborative efforts.
Ascension Describes Project
Ascension, in its announcement on Nov. 11 about its collaboration with Google, said the work will "optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care."
That includes using technology to improve consumer engagement and "arming caregivers with insights that allow them to better predict and manage patient needs," Ascension said.
The arrangement will also improve "the efficiency of Ascension's technology operations so that resources can be shifted from running isolated solutions to innovating within integrated platforms," the health system said.
Ascension said it is modernizing its infrastructure by transitioning "to the secure, reliable and intelligent Google cloud platform. Key elements of this work will focus on network and system connectivity, data integration, privacy and security, and compliance."
The collaboration with Ascension is not the only partnership that Google has with a health sector organization, although it appears to be the most extensive.
Google is also working with other large health related entities, including Mayo Clinic, Cleveland Clinic and McKesson in cloud and data analytics-related initiatives.
Google also has recently attracted Congressional scrutiny over its plans to buy wearable health tracker maker Fitbit (see: Bill Aims to Fill Consumer Health Device Data Privacy Gap).
Privacy legislation introduced on Nov. 14 by senators Bill Cassidy, M.D., R-La., and Jacky Rosen, D-Nev. would prevent companies that collect data via these devices from transferring, selling, sharing or allowing access to the information without a consumer's consent.