The federal Department of Health and Human Services has opened an inquiry into a Google project, Nightingale, which involves the company tapping the medical data of millions of Americans.
CNN’s Ahiza Garcia reported the news, first broken by The WSJ:
A federal inquiry has been opened into Google’s efforts to collect health data on millions of Americans through its “Project Nightingale” program.
The Department of Health and Human Services’ Office for Civil Rights opened the inquiry on Tuesday, The Wall Street Journal reported.
The office “will seek to learn more information about this mass collection of individuals’ medical records to ensure that [the Health Insurance Portability and Accountability Act of 1996 or HIPAA] protections were fully implemented,” office director Roger Severino said in a statement to the publication.
The Department of Health and Human Services did not respond to CNN Business’ request for comment.
The data collection is being done through a new partnership between Google (GOOG) and Ascension, one of the country’s largest nonprofit and Catholic health systems. The two companies confirmed they were working together to analyze patient data and give health care providers new insights and suggestions for patient care. The Wall Street Journal was the first to report on the project on Monday.
Christina Farr and Jennifer Elias reported for CNBC:
According to six people familiar with the scope of the agreement and an internal Ascension email seen by CNBC, the two companies signed an industry-standard agreement that allows the hospital to share protected health information with Google as long as this information is used only for treating patients. These people asked for anonymity because they were not authorized to discuss the deal with the media. The email also notes that the deal was part of a larger agreement between the companies that included Ascension’s use of Google’s G Suite set of productivity tools, which competes with Microsoft Office 365.
At the same time, one person familiar said some Ascension employees were concerned that some tools that Google is using to import and export data were not compliant with HIPAA privacy standards and that concerned employees did not receive satisfactory answers from Google on this front. Google did not comment on these particular complaints. But it said that it has a wide variety of Google Cloud products that enable compliance with HIPAA — the set of rules that govern how health information is transferred and shared — including some of the products mentioned by the concerned employees.
The flap comes as Google makes aggressive strides into the $3.5 trillion health sector, recently agreeing to acquire fitness tracker company Fitbit and announcing a deal with Mayo Clinic. The medical industry is notoriously sensitive when it comes to privacy and security, and Google faces an uphill battle to prove that it can be trusted when it makes the bulk of its money through advertising, which relies on extensive use of customer data.
Jon Brodkin quoted a Google statement for Ars Technica:
“To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data,” Google said in a blog post. That would mean Google won’t use the medical data to target advertisements at users of Google services.
Google also said that its work with Ascension “adheres to industry-wide regulations (including HIPAA) regarding patient data, and come[s] with strict guidance on data privacy, security, and usage.”
“We have a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care,” Google said. “This is standard practice in health care, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care.”
Patient data shared with Google includes names, birth dates, addresses, family members, allergies, immunizations, radiology scans, hospitalization records, lab tests, medications, medical conditions, “and some billing claims and other clinical records,” according to a followup article in the Journal. The partnership “covers the personal health records of around 50 million patients of Ascension,” the Journal wrote.
The Journal said that “Neither doctors nor patients have been formally notified of the arrangement” and that Google and Ascension began the project “in secret last year.”
Google seems to be correct that the partnership doesn’t violate HIPAA (the Health Insurance Portability and Accountability Act). As the Journal noted, that law “generally allows hospitals to share data with business partners without telling patients, as long as the information is used ‘only to help the covered entity carry out its health care functions.'” An expert quoted by the Journal noted that Google would be at risk of violating the law “if it uses the health data to perform independent research outside the direct scope of patient care.”