A business partnership between Google and Ascension, a major hospital chain and health insurer, includes the transfer of 50 million patient medical records without their knowledge or consent. Within 48 hours, federal regulators announced an investigation into the partnership. Google and Ascension both claim that they are fully compliant with the Health Insurance Portability and Accountability Act (HIPAA), but questions remain.
- Despite the legality of sharing patient health records, do Google and Ascension have an ethical obligation to ask for consent or notify patients that their data is being shared?
- Last year, Google didn’t disclose to users a flaw exposing personal data of hundreds of thousands of subscribers to its now-defunct social networking website Google Plus. What steps can be taken to ensure medical record privacy for 50 million patients?
- Will Google run into legal problems if they use the health data for independent research outside the direct scope of patient care? Is this a sound ethical strategy for a company already under a consent-decree agreement for serious privacy and security violations?
- Bonus question: What specific ethical guidelines and governance should Google and other companies implement to ensure data privacy and reporting?
- Privacy experts say this data sharing appears to be permissible under the Health Insurance Portability and Accountability Act of 1996. The law generally allows hospitals to share data with business partners without telling patients, as long as the information is used “only to help the covered entity carry out its health care functions.”
- The 50 million patient records were not de-identified, and a whistleblower disclosed to the Guardian serious concerns about the program, including the downloading of patient records by individual staffers.
- The leader of a private Facebook group for women with the BRCA gene became alarmed after discovering a Chrome plug-in for marketers that let them discover group members’ names and other info. The group notified Facebook of this privacy flaw in May 2018 and later reported it to the FTC, after months of inaction.
According to the Wall Street Journal, “Google began Project Nightingale in secret last year with St. Louis-based Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices and other facilities, with the data sharing accelerating since summer, according to internal documents.”
The data involved in the initiative is extensive and includes lab results, doctor diagnoses, and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.
Project Nightingale will use artificial intelligence and machine learning to crunch patient data for treatment and administrative purposes. Patient data is input to the Project Nightingale system that may suggest a variety of outcomes, including treatment plans and tests, personnel assignments, enforcement of narcotics policies, and billing procedures, among others.
In a news release issued after The Wall Street Journal first reported on Project Nightingale, the companies said the initiative is compliant with federal health law and includes robust protections for patient data.
Beyond that, Ascension had no further comments on this project’s potential patient privacy implications – except to say that one of its chief goals is a modernization of Ascension’s infrastructure with help from Google Cloud, and that “key elements” of the work are focused around “data integration, privacy and security and compliance.”
Tech giants, including Microsoft, Amazon, Google, and Salesforce, have been trying to carve out a slice of the trillion-dollar healthcare space. Improving the way caregivers use electronic health records has been a priority, as studies have shown that doctors spend more time on documentation than interacting with patients.