Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records

Share this article on:

Following a report in the Wall Street Journal, Google has confirmed it is collaborating with one of the largest healthcare systems in the United States, which gives it access to a huge volume of patient data.

Google has partnered Ascension, the world’s largest catholic health system and the second largest non-profit health system in the United States. Ascension operates more than 2,600 healthcare facilities in 21 states, including 150 hospitals and over 50 senior living facilities.

The collaboration has given Google access to patient health information such as names, dates of birth, medical test results, diagnoses, treatment information, service dates, and other personal and clinical information.

The project – code name Project Nightingale – had been kept under the radar prior to the WSJ Report, which claimed that at least 150 Google employees have allegedly been able to access patient data as part of the project and that access to patient data had been granted without patients or physicians being informed. Both Google and Ascension made announcements about the Project Nightingale collaboration after the WSJ story was published.

In a November 11 press release, Ascension said it “is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.”

Google explained in its announcement that it had previously mentioned the collaboration in July 2019 in its Q2 earnings call, in which it stated, “Google Cloud’s AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes.”

Google explained in its November 11 blog post that collaboration with Ascension is focused on A) Shifting Ascension’s infrastructure to the Google Cloud platform; B) Helping Ascension implement G Suite productivity tools and; C) Extending tools to doctors and nurses to improve care. Google also stated that some of the tools it is working on are not yet active in clinical development and are still in the early testing stage, hence the code name, Project Nightingale.

Another goal of the collaboration is to use Google’s considerable computing capabilities to analyze patient data with a view to developing software that leverages its AI and machine learning technology to deliver more targeted care to patients.

Ascension said the it will be “Exploring artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”

As a business associate of Ascension, Google has confirmed that access to patient data is legitimate and in full compliance with Health insurance Portability and Accountability Act (HIPAA) Rules. Google has signed a BAA with Ascension and has implemented appropriate safeguards to keep patient information secure and is in full compliance with all requirements of HIPAA.

Ascension has also confirmed that the partnership is “underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

It is not standard practice for HIPAA-covered entities to publicly disclose which business associates have been provided with patient data. Healthcare organizations can have hundreds of business associates, each of which performs a set of services on behalf of the covered entity that are necessary for the purposes of treatment, payment, or healthcare operations (TPO). HIPAA allows patient data to be shared with those entities without authorization from the patient. That would also be true with the Google/Ascension partnership as the use of the cloud for storing patient data is permitted as is the analysis of patient data using AI/machine learning systems if that is also for TPO purposes.

For the vast majority of business associates, any data sharing would not raise major privacy concerns, provided of course that the business associate is fully compliant with HIPAA and has signed a BAA. There are naturally risks associated with providing data to any business associate. Provided those risks are managed and reduced to a reasonable an acceptable level, and data is transferred in a HIPAA-compliant and secure manner, this would be acceptable under HIPAA Rules.

However, in the case of Google, many patients will be concerned about their privacy. Google has access to vast quantities of user data, which could potentially be linked with the health data provided to Google. A report in The Guardian suggests that by the time the migration of data is completed, which is expected to be at some point in March 2020, Google will have access to the health data of around 50 million Ascension patients. The data of around 10 million patients has already been transferred. Since the terms of the business associate agreement between Ascension and Google are unknown, it is not clear exactly what Google is permitted to do with the data. That, for many, will certainly be a cause for concern.

According to The Guardian report, a whistleblower who works for Project Nightingale said the data provided has not been de-identified. The whistleblower also expressed concern about the controls in place to prevent data being downloaded by Google employees. Google is also permitted to use the patient data to build its own products, which can then be sold to third parties. Further concerns were raised in a video created by the whistleblower that has been uploaded to DailyMotion.

Author: HIPAA Journal

Share This Post On