Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete

Following the revelation that a considerable volume of patient data had been shared with Google by the Catholic health system Ascension, the second largest health system in the United States, a bipartisan group of Senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google demanding answers about the nature of the agreements and the information the company received.

Ascension operates 150 hospitals and more than 2,600 care facilities in 20 states and the District of Columbia and has more than 10 million patients. In November 2019, a whistleblower at Google passed information to the Wall Street Journal on the nature of the collaboration and claimed that patient data, including patient names, dates of birth, lab test results, diagnoses, health histories and other protected health information, had been shared with Google and was accessible by more than 150 Google employees.

In response to the story, Google announced that the partnership, named Project Nightingale, was a cloud migration and data sharing initiative. Ascension is migrating its data warehouse and analytics infrastructure to the Google Cloud and will be using Google’s G Suite productivity suite. Patient data was being used by Google’s AI and machine learning technologies with the purpose of improving clinical quality and patient safety.

Google and Ascension both unissued statements confirming that there was a business associate agreement in place and data was being shared in a manner compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules and health data was not being used for purposes other than those stated in its BAA. Several investigations were launched to determine the nature of the agreement between both companies, with the HHS’ Office for Civil Rights opening an investigation into both companies to determine whether HIPAA Rules were being adhered to.

Google responded to the letter and provided the Senators with some answers. Google explained that data was shared in accordance with HIPAA Rules, that only a limited number of employees have access to that data, that access controls are in place to prevent unauthorized access, and any individual required to access health data is set permissions based on their role and job function.

Google also explained that Ascension’s data is logically isolated from other customers and confirmed that the data was only being used for an EHR search pilot program that would provide physicians and nurses with a unified view of patient data from multiple EHR systems. The EHR search tool will allow medical staff to search data in EHRs faster and effectively query medical records using words and abbreviations commonly used in healthcare. Google confirmed that medical records were not being used for secondary purposes, such as identifying services for specific individuals or to send them targeted advertisements.

The senators believe the answers provided by Google are incomplete. On Monday, they wrote to Ascension demanding answers about Project Nightingale and the patient data shared with Google. “Google’s response did not answer a number of our questions pertaining to Ascension’s involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients,” explained the senators.

The senators want to know how many records have been shared with Google, the exact nature of the information that was shared, if there have been any breaches of the shared data, and whether patients were notified that their PHI would be shared with Google and if they were given the opportunity to opt out.

“It’s critical lawmakers receive comprehensive information about Project Nightingale, which serves as a case study of Google’s more extensive foray into electronic health records,” explained the senators in the letter. “While improving the sharing, accessibility, and searchability of health data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.