HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records

Following a report in the Wall Street Journal, Google has confirmed it is collaborating with one of the largest healthcare systems in the United States, which gives it access to a huge volume of patient data.

Google has partnered Ascension, the world’s largest catholic health system and the second largest non-profit health system in the United States. Ascension operates more than 2,600 healthcare facilities in 21 states, including 150 hospitals and over 50 senior living facilities.

The collaboration has given Google access to patient health information such as names, dates of birth, medical test results, diagnoses, treatment information, service dates, and other personal and clinical information.

The project – code name Project Nightingale – had been kept under the radar prior to the WSJ Report, which claimed that at least 150 Google employees have allegedly been able to access patient data as part of the project and that access to patient data had been granted without patients or physicians being informed. Both Google and Ascension made announcements about the Project Nightingale collaboration after the WSJ story was published.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

In a November 11 press release, Ascension said it “is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.”

Google explained in its announcement that it had previously mentioned the collaboration in July 2019 in its Q2 earnings call, in which it stated, “Google Cloud’s AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes.”

Google explained in its November 11 blog post that collaboration with Ascension is focused on A) Shifting Ascension’s infrastructure to the Google Cloud platform; B) Helping Ascension implement G Suite productivity tools and; C) Extending tools to doctors and nurses to improve care. Google also stated that some of the tools it is working on are not yet active in clinical development and are still in the early testing stage, hence the code name, Project Nightingale.

Another goal of the collaboration is to use Google’s considerable computing capabilities to analyze patient data with a view to developing software that leverages its AI and machine learning technology to deliver more targeted care to patients.

Ascension said the it will be “Exploring artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”

As a business associate of Ascension, Google has confirmed that access to patient data is legitimate and in full compliance with Health insurance Portability and Accountability Act (HIPAA) Rules. Google has signed a BAA with Ascension and has implemented appropriate safeguards to keep patient information secure and is in full compliance with all requirements of HIPAA.

Ascension has also confirmed that the partnership is “underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

It is not standard practice for HIPAA-covered entities to publicly disclose which business associates have been provided with patient data. Healthcare organizations can have hundreds of business associates, each of which performs a set of services on behalf of the covered entity that are necessary for the purposes of treatment, payment, or healthcare operations (TPO). HIPAA allows patient data to be shared with those entities without authorization from the patient. That would also be true with the Google/Ascension partnership as the use of the cloud for storing patient data is permitted as is the analysis of patient data using AI/machine learning systems if that is also for TPO purposes.

For the vast majority of business associates, any data sharing would not raise major privacy concerns, provided of course that the business associate is fully compliant with HIPAA and has signed a BAA. There are naturally risks associated with providing data to any business associate. Provided those risks are managed and reduced to a reasonable an acceptable level, and data is transferred in a HIPAA-compliant and secure manner, this would be acceptable under HIPAA Rules.

However, in the case of Google, many patients will be concerned about their privacy. Google has access to vast quantities of user data, which could potentially be linked with the health data provided to Google. A report in The Guardian suggests that by the time the migration of data is completed, which is expected to be at some point in March 2020, Google will have access to the health data of around 50 million Ascension patients. The data of around 10 million patients has already been transferred. Since the terms of the business associate agreement between Ascension and Google are unknown, it is not clear exactly what Google is permitted to do with the data. That, for many, will certainly be a cause for concern.

According to The Guardian report, a whistleblower who works for Project Nightingale said the data provided has not been de-identified. The whistleblower also expressed concern about the controls in place to prevent data being downloaded by Google employees. Google is also permitted to use the patient data to build its own products, which can then be sold to third parties.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.