The Wall Street Journal has broken an important story on Google’s foray into the medical arena. Without notifying patients or doctors, much the less obtaining their consent, the search giant has obtained the medical records of “tens of millions of people” in 21 states, all patients of Ascension, a St. Louis-based chain of 2600 hospitals.
Moreover, you can see that the effort is aggressive, with the aim of generating patient medical histories, linking individuals to family members, and making staffing and treatment suggestions….as well as identifying opportunities for upcoding and other ways to milk patients.
Google began Project Nightingale in secret last year with St. Louis-based Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices and other facilities, with the data sharing accelerating since summer, according to internal documents.
The data involved in the initiative encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.
Neither patients nor doctors have been notified. At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents.
And I wasn’t kidding about Ascension wanting to wring more out of patients:
Ascension, the second-largest health system in the U.S., aims in part to improve patient care. It also hopes to mine data to identify additional tests that could be necessary or other ways in which the system could generate more revenue from patients, documents show.
Yours truly regularly nixes doctor-suggested tests. It’s a no-brainer that it will become harder to just say no if you are in an HMO or PPO and Dr. Google disagrees with you.
Note that the project was secret until the Journal started digging. Ascension put out a joint press release with Google on Monday, which may have forced the Journal to publish the story before it had nailed down some final loose ends.
Specifically, the Journal repeats the claim from the joint press release that this data harvesting is permitted under HIPAA. The story not have any independent views, as in the expected expert quotes, but a bland, unsourced “privacy experts seem to think this is OK”. Huh?.
Google and Ascension are relying on the notion that Ascension can share data with a “business associate” under HIPAA, the misleadingly named Health Insurance Portability and Accountability Act, which is more a data sharing law than a privacy law. But notice the caveats on the HHS website:
The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
The Wall Street Journal article is explicit that Google is not doing this major project for Ascension for free out of the goodness of its heart, but to develop a marketable product:
Google has assigned dozens of engineers to Project Nightingale so far without charging for the work because it hopes to use the framework to sell similar products to other health systems. Its end goal is to create an omnibus search tool to aggregate disparate patient data and host it all in one place, documents show.
That runs afoul of the HIPAA requirements. The fact that Google is not getting paid does not give it the right to use its work for Ascension for any purpose other than to help Ascension.
Even though HIPAA does not conceptualize the relationship quite this way, it seems analogous to “work for hire” under intellectual property laws. If you are engaged by someone to produce a particular product, say an article, some code, a musical score, under a “work for hire” agreement, the company or person who engaged you owns the work product, except to the degree that you carved out specific rights (such as a right to reproduce for personal promotion).
It also appears that Google is sharing patient data more broadly within Google than is kosher under HIPAA. Again from the Journal:
Google in this case is using the data in part to design new software, underpinned by advanced artificial intelligence and machine learning, that zeroes in on individual patients to suggest changes to their care. Staffers across Alphabet Inc., Google’s parent, have access to the patient information, internal documents show, including some employees of Google Brain, a research science division credited with some of the company’s biggest breakthroughs.
The Journal points out that other health organizations that have been giving data for Google to chew on have, unlike Ascension, protected patient privacy:
Google appears to be sharing information within Project Nightingale more broadly than in its other forays into health-care data. In September, Google announced a 10-year deal with the Mayo Clinic to store the hospital system’s genetic, medical and financial records. Mayo officials said at the time that any data used to develop new software would be stripped of any information that could identify individual patients before it is shared with the tech giant.
One Wall Street Journal reader asserted that Google and Ascension are violating HIPAA:
This is a direct violation of HIPAA laws. Google has no legal right to obtain personal health information.
The Federal government requires Business Associates Agreements for information sharing of personal health information and data between a vendor and covered entity to occur. GOOGLE QUALIFIES FOR NEITHER AND SHOULD BE REPORTED TO FEDERAL AUTHORITIES AT U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES. PERIOD.
The wee problem is that even if Mr. Travelstead is correct, HIPAA enforcement appears to be non-existant. The Wall Street Journal reported in 2007 that in a bit over three years, Department of Health and Human Services Office for Civil Rights had received over 23,000 complaints of privacy abuses, yet had taken no action. The only enforcement example listed in Wikipedia is an $885,000 settlement by UCLA over investigation findings that unauthorized employees repeatedly read protected electronic patient health care records.
However, Journal readers (at least as far as I read, and I got pretty far into the hundreds of comments) were without exception very upset about the prospect of Google having access to their medical data. Given that Big Tech is in the crosshairs of more than a few Congresscritters, one can hope that Google and Ascension officials will soon have to ‘splain themselves.
A few examples:
NO. I use Google AdWords…They provide the data that they need in order to sell us….
No, I don’t trust Google with my information. They will set their systems to disadvantage patients, they will jerk partners around & and they will take away info people rely on in order to raise their prices — examples galore.
Who will Google sell this information to? If they can’t sell it in some form they wouldn’t bother with it. Google at it’s core has no ethics beyond how to get money – to heck with who gets hurts.
This is not comforting. Rest assured this most personal information will be accessed by people you do not want anywhere near your personal information at some time. What would it take for Google or any other company or government employee to allow unauthorized people to your information? Probably not very much. And even a subpoena, how tough is that to obtain with the flimsiest of pretexts, especially with government employees not accountable for perjury, even to a FISA court? I would not give my doctor any information if it goes into a computer; I would rather pay cash and have no records other than the ones I would keep on flash drive.
It’s not hard to understand some of the motives for an initiative like this. As we’ve repeatedly posted, relying on the considerable work of the Health Care Renewal blog, electronic health records are a train wreck. They are designed around billing, not around doctor needs. Health Care Renewal has stressed that they if anything have made matters worse for doctors by diverting attention from patients and making it harder to find relevant information to the degree that they undermine care. They have been cited as a contributor to doctor burnout and even the reason some doctors stop practicing. An authoritative body, the ECRI Institute, even listed health care information technology as its number one patient risk in large health care organizations.
They are also often designed by relatively small players, so not only are they kludgy, but they are seldom compatible across health care organizations.
So you can see why there would be demand for a health care information system that is actually about health care. But given that Ascension has explicit upcoding and upselling motives, will that really result, or will this just be a less terrible, more portable version of the current EHRs?
Oh, and if you believe Google, this won’t just be about EHRs and helping organizations like
Ascension pull in more revenues (which translates into making health care an even bigger percentage of GDP), but bring techno hocus pocus to medicine. We quoted this section earlier:
Google in this case is using the data in part to design new software, underpinned by advanced artificial intelligence and machine learning, that zeroes in on individual patients to suggest changes to their care.
Notice that this is vaporware: Google hopes to do all of this but it remains to be seen what it can do. And it’s not clear that even with data on so many patients that it could develop decent AI for medical purposes. Bias in studies is already a big problem with medical research. One problem is that some populations are very much under-represented. Women are under-treated for heart disease in part because doctors see men as being at more risk, which is reinforced by studied being done mainly on men. Similarly, women have more trouble with hip replacements than men do because the studies were done on men…but women are not small men. They load their hips differently.
In other words, training set bias is a huge issue with AI, so even if Google has enough data to have a go at some conditions, there are still big risks with generalizing from the sample. And pray tell, who is liable when Dr. Google gets it wrong?
I happen to have the luxury of not being exposed to this sort of data sharing by virtue of not being in an HMO or PPO and always paying for my medical services (particularly tests!) and then submitting for reimbursement so my insurer does not have access to test results or MD notes. Nevertheless, I’m approaching Medicare age and soon won’t be able to escape this regime unless I leave the US and/or get a lot of my care abroad.
One practical suggestion, although it will be of use only when seeing a new doctor or joining a new health care organization: when presented with HIPAA forms, strike out the sections where you consent to sharing data with undisclosed partners and initial the strikeout. And do not ever provide your SSN on a medical intake form.
Regardless, this is a very troubling but not exactly surprising development. The fact that Google had a big security breach in 2018 involving over 50 million Google+ users will give opponents grounds for raising objections. But making a stink with your Senators and Representative is the best near-term move for keeping Google well away from your medical history.