One of the largest nonprofit health systems in the U.S. created headlines when it was revealed that it was sharing patient data with Google -- under codename Project Nightingale.
Ascension, a Catholic health system based in St. Louis, partnered with Google to transition the health system's infrastructure to the Google Cloud Platform, to use the Google G Suite productivity and collaboration tools, and to explore the tech giant's artificial intelligence and machine learning applications. By doing so, it is giving Google access to patient data, which the search giant can use to inform its own products.
The partnership appears to be technically and legally sound, according to experts. After news broke, Ascension released a statement saying the partnership is HIPAA-compliant and a business associate agreement, a contract required by the federal government that spells out each party's responsibility for protected health information, is in place. Yet reports from The Wall Street Journal and The Guardian about the possible improper transfer of 50 million patients' data has resulted in an Office for Civil Rights inquiry into the Google-Ascension partnership.
Legality aside, the resounding reaction to the partnership speaks to a lack of transparency in healthcare. Organizations should see the response as both an example of what not to do, as well as a call to make patients more aware of how they're using health data, especially as consumer companies known for collecting and using data for profit become their partners.
Partnership breeds legal, ethical concerns
Forrester Research senior analyst Jeff Becker said Google entered into a similar strategic partnership with Mayo Clinic in September, and the coverage was largely positive.
Jeff Becker
According to a Mayo Clinic news release, the nonprofit academic medical center based in Rochester, Minn., selected Google Cloud to be "the cornerstone of its digital transformation," and the clinic would use "advanced cloud computing, data analytics, machine learning and artificial intelligence" to improve healthcare delivery.
But Ascension wasn't as forthcoming with its Google partnership. It was Google that announced its work with Ascension during a quarterly earnings call in July, and Ascension didn't issue a news release about the partnership until after the news broke.
"There should have been a public-facing announcement of the partnership," Becker said. "This was a PR failure. Secrecy creates distrust."
Matthew Fisher
Matthew Fisher, partner at Mirick O'Connell Attorneys at Law and chairman of its health law group, said the outcry over the Google-Ascension partnership was surprising. For years, tech companies have been trying to get access to patient data to help healthcare organizations and, at the same time, develop or refine their existing products, he said.
"I get the sense that just because it was Google that was announced to have been a partner, that's what drove a lot of the attention," he said. "Everyone knows Google mostly for purposes outside of healthcare, which leads to the concern of does Google understand the regulatory obligations and restrictions that come to bear by entering the healthcare space?"
Ascension's statement in response to the situation said the partnership with Google is covered by a business associate agreement -- a distinction Fisher said is "absolutely required" before any protected health information can be shared with Google. Parties in a business associate agreement are obligated by federal regulation to comply with the applicable portions of HIPAA, such as its security and privacy rules.
Kate Borten
A business associate relationship allows identifiable patient information to be shared and used by Google only under specified circumstances. It is the legal basis for keeping patient data segregated and restricting Google from freely using that data. According to Ascension, the health system's clinical data is housed within an Ascension-owned virtual private space in Google Cloud, and Google isn't allowed to use the data for marketing or research.
"Our data will always be separate from Google's consumer data, and it will never be used by Google for purposes such as targeting consumers for advertising," the statement said.
But health IT and information security expert Kate Borten believes business associate agreements and the HIPAA privacy rule they adhere to don't go far enough to ensure patient privacy rights, especially when companies like Google get involved. The HIPAA privacy rule doesn't require healthcare organizations to disclose to patients who they're sharing patient data with.
"The privacy rule says as long as you have this business associate contract -- and business associates are defined by HIPAA very broadly -- then the healthcare provider organization or insurer doesn't have to tell the plan members or the patients about all these business associates who now have access to your data," she said.
Jody Ranck
Chilmark Research senior analyst Jody Ranck said much of the alarm over the Google-Ascension partnership may be misplaced, but it speaks to a growing concern about companies like Google entering healthcare.
Since the Office for Civil Rights is looking into the partnership, Ranck said there is still a question of whether the partnership fully complies with the law. But the bigger question has to do with privacy and security concerns around collecting and using patient data, as well as companies like Google using patient data to train AI algorithms and the potential biases it could create.
All of this starts to feel like a bit of an algorithmic iron cage.
Jody RanckSenior analyst, Chilmark Research
Ranck believes consumer trust in tech companies is declining, especially as data privacy concerns get more play.
"Now that they know everything you purchase and they can listen in to that Alexa sitting beside your bed at night, and now they're going to get access to health data ... what's a consumer to do? Where's their power to control their destiny when algorithms are being used to assign you as a high-, medium-, or low-risk individual, as creditworthy?" Ranck said. "All of this starts to feel like a bit of an algorithmic iron cage."
A call for more transparency
Healthcare organizations and big tech partnerships with the likes of Google, Amazon, Apple and Microsoft are growing. Like other industries, healthcare organizations are looking to modernize their infrastructure and take advantage of state of the art storage, security, data analytics tools and emerging tech like artificial intelligence.
But for healthcare organizations, partnerships like these have an added complexity -- truly sensitive data. Forrester's Becker said the mistake in the Google-Ascension partnership was the lack of transparency. There was no press release early on announcing the partnership, laying out what information is being shared, how the information will be used, and what outcome improvements the healthcare organization hopes to achieve.
"There should also be assurance that the partnership falls within HIPAA and that data will not be used for advertising or other commercial activities unrelated to the healthcare ambitions stated," he said.
Fisher believes the Google-Ascension partnership raises questions about what the legal, moral and ethical aspects of these relationships are. While Ascension and Google may have been legally in the right, Fisher believes it's important to recognize that privacy expectations are shifting, which calls for better consumer education, as well as more transparency around where and how data is being used.
Although he believes it would be "unduly burdensome" to require a healthcare organization to name every organization it shares data with, Fisher said better education on how HIPAA operates and what it allows when it comes to data sharing, as well as explaining how patient data will be protected when shared with a company like Google, could go a long way in helping patients understand what's happening with their data.
"If you're going to be contracting with one of these big-name companies that everyone has generalized concerns about with how they utilize data, you need to be ahead of the game," Fisher said. "Even if you're doing everything right from a legal standpoint, there's still going to be a PR side to it. That's really the practical reality of doing business. You want to be taking as many measures as you can to avoid the public backlash and having to be on the defensive by having the relationship found out and reported upon or discussed without trying to drive that discussion."