It could be time for stricter personal health information protection laws in light of Google collecting the data of more than 50 million Americans from provider giant Ascension, health IT experts say.
The partnership, called Project Nightingale, came to light last week and involves the nation's second-largest health system sharing data from patients from 21 states with the Mountain View, California-based tech giant — without patient consent or knowledge. In return, Ascension gets access to any software or services Google develops, such as an omnibus search tool integrated into the EHR that aggregates all PHI in one location.
"HIPAA was crafted many decades ago now and it's probably time for it to be updated for the current world," Dan Nigrin, SVP and CIO at Boston Children's Hospital, said Monday at U.S. News & World Report's Healthcare of Tomorrow conference. "The safeguards provided for in HIPAA probably lack specific granularity and detail for the instances like the one we just saw unfold before us."
There's no dispute both actors are compliant with the 1996 patient protection and privacy law.
But the emergence of details on Project Nightingale last week sparked renewed conversation about data sharing, especially with tech behemoths that come with a checkered past with consumer trust and data use.
HHS' Office of Civil Rights opened an investigation into the partnership and multiple legislators including Sens. Mark Warner, D-Va., Bill Cassidy, R-La., and Richard Blumenthal, D-Conn., along with Democrat presidential candidate Amy Klobuchar, issued statements decrying the actions of both companies.
HIPAA allows healthcare companies to share patient data with third parties under business associate agreements, as long as the data is being used to help that third party "carry out its health care functions." That definition does constrain Google from using the data for any marketing or non-R&D related purposes, but privacy experts still say it may be overly vague for today's data-rich and regulation-light technology landscape.
"Right now we don't have very good national standards, or even international standards, around data sharing and privacy," Maia Hightower, chief medical information officer at University of Utah Health, said, noting the University of Utah is currently retooling its ethics guidelines and processes, though adding "there's no Big Bang solution."
Currently, in 49 of the 50 U.S. states, health data is legally owned by the actor that collects it: usually the payer or provider.
California passed its Consumer Privacy Act last year. The law, set to take effect Jan. 1, requires businesses to inform consumers of their intent to collect their information and how (and with whom) it will be shared, though not-for-profit healthcare companies are exempt. Consumers reserve the right to prevent businesses from selling or sharing their data, adding another layer of compliance to HIPAA.
But the left-leaning state is the only one in the country with such a comprehensive privacy law.
"Data ownership in the future needs to be thought of a little more differently," David Vawdrey, chief informatics data officer at 13-hospital integrated health system Geisinger, said. "People aren't doing anything against the law but we're starting to think differently. There's the legal court and then the court of public opinion, and that's starting to shift a little bit."
Europe's data protection framework, the General Data Protection Regulation, requires similar patient consent for processing and use of their health information, and in the U.K., the National Health System's code of conduct puts protocols around the use of patient data, including mandating de-identification, Nina Janda, CEO of Global Health Data @ Work, said.
"There are easy wins like that you could probably implement into HIPAA," Janda said.
It's unlikely the U.S. will see any sweeping changes to HIPAA or any additional privacy legislation in the next few years, given the current political environment and provider antagonism to additional administrative burden, experts say.
CMS late last year requested feedback on potential changes to HIPAA, including amendments to promote sharing PHI to bolster care coordination. Provider groups were clear in their responses: they did not think they should be required to disclose that information to other covered entities.
HHS is in the process of finalizing two rules meant to promote data sharing that stakeholders worry could actually increase the dissemination of PHI, potentially to third party companies not constrained by a business associate agreement under HIPAA.
The rules are expected close to the end of this year. Office of the National Coordinator for Health IT head Don Rucker hopes they spur a new app economy in healthcare that could bring even more tech players into the traditionally siloed market.
"We're now entering a time where it's not just the Cerner and the Epics of the world, and payment processors, who want access to medical data. It's these big companies who bring incredible resources to the table," Nigrin, who is also an assistant professor of pediatrics at Harvard Medical School, said. "So we've got to find a way to engage these companies in a way that moves health forward and uses patient data in a responsible way."