UPDATE: Nov. 13, 2019: HHS' Office of Civil Rights is opening an investigation into "Project Nightingale," a spokesperson confirmed to Healthcare Dive. The agency "would like to learn more information about this mass collection of individuals' medical records with respect to the implications for patient privacy under HIPAA," OCR Director Roger Severino said in an emailed statement.
Dive Brief:
- Google has been using the personal health information of millions of Americans provided by Ascension, the second largest health system in the country, to develop new healthcare product lines without patient consent. Though the practice is legal under HIPAA, the news, first reported by the Wall Street Journal and confirmed to Healthcare Dive by both companies, sparked outrage over privacy concerns.
- A spate of tech companies have been elbowing into the $3.5 trillion healthcare industry, but Google's under-the-radar data sharing program, called "Project Nightingale," is particularly extensive: It spans patients across 21 states and has been going on since early last year, according to media reports.
- Google's been analyzing myriad forms of patient data, including lab results, diagnoses, hospital records, patient names and dates of birth among other categories, according to internal documents, without notifying the tens of millions of patients or their physicians.
Dive Insight:
The move is reminiscent of a Facebook effort in April of last year with several large U.S. hospitals that the social media giant aborted amid public backlash from the Cambridge Analytica data leak scandal.
Though the Facebook program never passed the planning stage, Google's had access to patient personal health information at Ascension's 2,600 hospitals, doctor's offices and other care sites for more than a year, and the Mountain View, California-based tech giant isn't under a spotlight for spreading misinformation since the 2016 presidential election as Facebook is.
Patient advocates and privacy groups did not take kindly to the news, which launched an OCR investigation and garnered a slew of backlash from high-profile politicians. Sens. Mark Warner, D-Va., Bill Cassidy, R-La., and Richard Blumenthal, D-Conn., along with Democrat presidential candidate Amy Klobuchar, all issued separate statements with their concern about the partnership.
Worries around third party use of personal data are a perennial concern in the industry, especially as HHS prepares to publish its final regulations meant to stimulate unfettered data sharing and access to health information among companies and patients alike.
Ascension, a Catholic not-for-profit health system, said in a press release all of Google's work with its data is "underpinned by a robust data security and protection effort" and compliant with its "strict requirements for data handling."
The 1996 HIPAA law allows such data collection without direct patient consent as long as its is being used to help the secondary company "carry out its health care functions." In this case, the function is to design new software leveraging its hefty artificial intelligence and machine learning capabilities for care management and personalized health recommendations, with the end goal of creating a search tool aggregating patient data in one place, the documents reportedly say.
In a blog post published late Monday, Google Cloud President Tariq Shaukat defended the program, calling it "similar to the work we do with dozens of other healthcare providers." Shaukat said, under the terms of the agreement with Ascension, patient data can't and won't be combined with Google consumer data and is only being used to develop software and artificial intelligence programs for providers.
Hospital administration is notoriously clunky — by some metrics, doctors interact more with their software systems than their patients. Google is looking to streamline some of this functionality with "Project Nightingale," a code name used because the company's solutions are still in early testing and not yet in active clinical deployment, according to Google's blog post.
David Feinberg, the head of Google's healthcare division, said late last month the division was working on integrating such a search tool directly into provider EHRs, which would give doctors a one-stop shop to view patient history, test results and medications, along with information on medical conditions and potential treatments.
It appears he was referring to this new offering: the search service has rolled out in at least one Ascension facility both Florida and Texas, with a planned expansion to additional states and facilities by 2020, according to documents reviewed by Forbes.
Ascension plans to transfer its infrastructure to Google Cloud as part of the collaboration.
Silicon Valley giants eyeing the healthcare industry have been dipping their toes in the water for a while now. Google in September announced a decade-long partnership with Mayo Clinic, storing the academic medical center's records in return for research and product creation. However, Mayo Clinic retained control over how its patients' data is accessed and used, and the data was de-identified prior to sharing with Google.
Google's faced its own data privacy scandals in recent years. In 2016, Google's AI unit, DeepMind, was accused of improperly accessing patient data from the U.K.'s National Health System, causing the business to lose its NHS contracts; and the company shelled out $170 million in fines in September over allegations its video site YouTube was illegally collecting information to target ads.
It is also currently under investigation by federal and state antitrust regulators over a potential data monopoly stemming from its search engine.
Those concerns were renewed early this month with the announcement of Google's planned $2.1 billion acquisition of wearables giant Fitbit, a move that prompted Sen. Mark Warner, D-Virginia, to call for mandatory disclosures from tech companies on how they use consumer data in health products.