Google Search

Yes, Google’s Using Your Healthcare Data – And It’s Not Alone

Google is working with one of the largest healthcare systems in the U.S. to collect patient data on millions of Americans in 21 states and across 2,600 hospitals or clinics in order to analyze it and come up with advice for better patient care and cost cutting measures.

The project was reportedly revealed by a whistleblower who said the program, dubbed “Project Nightingale,” involved Ascension – the largest Catholic health system in the world – and up to 50 million private medical records from healthcare providers.

In response to reports about the effort, Google said it had revealed plans to use its cloud data analytics to cull information from Ascension’s patient data during a Q2 earnings call in July, though “Project Nightingale” was never mentioned during that call. “We announced ‘Google Cloud’s AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes,'” Google Cloud President Tariq Shaukat said in a blog post.

IDC reports that it’s time for hybrid cloud initiatives to focus on IT goals, in addition to business objectives.

“Our work with Ascension is exactly that – a business arrangement to help a provider with the latest technology, similar to the work we do with dozens of other healthcare providers, Shaukat wrote. The list of care providers and healthcare records tech  companies includes the Cleveland Clinic, the American Cancer Society, McKesson and Athena.

Shaukat said Google has a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care.

“This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care,” Shaukat said.

No matter how well intentioned the project’s overseers say it is, the collection of private medical data has raised the ire of patients and lawmakers who have called for a federal inquiry into the practice.

The Office for Civil Rights in the Department of Health and Human Services “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” the office’s director, Roger Severino, said in a statement.

Third parties compiling patient data is not only common among healthcare providers and third-party analytics firms, it’s perfectly legal – as long as patients have given consent by signing a common HIPAA form. And, wittingly or not, most have done so, according to Cynthia Burghard, a research director at IDC.

“Databases of this size are not uncommon,” Burghard said. “On face value, I don’t see an issue. They [Google] signed the HIPAA compliant document for business associate arrangements. So, they complied with the law there. When you go to a healthcare provider’s office as a patient, you sign a HIPAA release form, which allows the institutions to use your data for medical research or improved care management; so there is patient consent there.

Many healthcare providers are storing patient data for analytics purposes in a cloud somewhere, whether it’s Amazon Web Services, Microsoft’s Azure or Google Cloud.

In September, controversy around patient privacy erupted when Google acquired the health division of London-based AI firm DeepMind, which built a healthcare app used to give clinicians at National Health Service [NHS] hospitals easy access to medical records. DeepMind’s Streams app was already controversial after a UK privacy watchdog found the NHS had illegally handed 1.6 million patient records to DeepMind as part of a trial.

Last year, Amazon, JPMorgan and Berkshire formed a partnership to create a private healthcare company aimed at lowering the cost of care.

According to Adam Tanner, author of the book “Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records,” businesses that have nothing to do with medical treatment are allowed to buy and sell healthcare data, provided they remove certain fields of information, including birth date, name and Social Security number.

 

Read more…