Google and Ascension look to be in boatloads of hot water over their secret patient medical data sharing project that involves “ten of millions” of patients. A day after the Wall Street Journal published its expose, which we discussed yesterday, the normally complacent Department of Health and Human Services roused itself to open an investigation. Congresscritters are upset too.
And if it so chooses, HHS can lower the hammer on Ascension and Google. The Guardian reports that Google and Ascension signed an agreement hours after the Journal broke its story. This is prima facie evidence that every bit of patient data that Ascension handed over to Google was a flagrant violation of the privacy provisions of HIPAA. And as we’ll show further down, leaked documents show the data-sharing was well along.
Under HIPAA Ascension can share patient data with “business associates” only if
There is a contract in place
There is a HIPAA-contemplated purpose for the data provision
The agreement assures that the business associate will implement practices to assure compliance with HIPAA.
Kinda hard to do any of that with no contract.
Finally, we’ll discuss why electronic health records and the idea of applying AI to medical data has been a pipe dream for decades and that situation is not likely to change any time soon. The better remedy for patients with complex medical histories would be for them to have much stronger rights to their data, including requiring medical providers as a default to provide electronic copies of test results and changes to medication in electronic form to patients promptly after each visit.
Why HHS Can Nail Ascension and Google
What went down between Google and Ascension is more brazen than I imagined, and I have an active imagination. First a quick review and an update on the state of play, starting with the high points from yesterday’s post on Google’s blockbuster story:
The Wall Street Journal has broken an important story on Google’s foray into the medical arena. Without notifying patients or doctors, much the less obtaining their consent, the search giant has obtained the medical records of “tens of millions of people” in 21 states, all patients of Ascension, a St. Louis-based chain of 2600 hospitals.
Moreover, you can see that the effort is aggressive, with the aim of generating patient medical histories, linking individuals to family members, and making staffing and treatment suggestions….as well as identifying opportunities for upcoding and other ways to milk patients.
Google began Project Nightingale in secret last year with St. Louis-based Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices and other facilities, with the data sharing accelerating since summer, according to internal documents.
The data involved in the initiative encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.
Neither patients nor doctors have been notified. At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents.
Ascension’s and Google’s Flagrant Regulatory Violations
Today’s “enter the HHS” development, again from the Journal:
A federal regulator has opened an inquiry into Google and Ascension’s ‘Project Nightingale’ amassing the detailed health information of millions of patients.
The Office for Civil Rights in the Department of Health and Human Services “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” office director Roger Severino said in a statement to The Wall Street Journal…
In the past few months, tens of millions of records have been shared with Google, according to the people and documents. The rest are on their way.
The data’s new destination is Google parent Alphabet Inc.’s cloud, essentially data and software storage served and able to be accessed remotely, including by some in the search giant’s employ
A Guardian story today, which included a link to the whistleblower video that we’ve embedded below, has a critically important factoid that makes this HHS investigation a slam dunk should the agency choose to use it:
The deal between Google and Ascension to go ahead with the data transfer was formally signed on Monday, hours after the Wall Street Journal broke the story.
Huh? Substantial amounts of data have already been transferred and worse, Google employees have access to patient data. What were the supervising adults at Google and Ascension smoking? Or did they think that commemorating their understanding would require them to put things in writing that were better not admitted to? Regardless, you can’t do projects of this scale on a wink and a nod. This alone should be reason for firing everyone at Ascension in a decision-making capacity involved in this scheme. That includes their general counsel and CEO; the whistleblower video below states that the project has sponsorship at the “Director, VP, SVP, EVP and CEO levels of Ascension and Google.
Here is the HHS’s commentary (emphasis ours):
The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
General Provision. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
Business Associate Contracts. A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Please view our Sample Business Associate Contract.
So what about “contract” did Ascension and Google not understand? Or were all of those “the contract must” provisions, particularly prohibiting the use of the patient information for Google’s own use, something Google was unwilling to commit to? You can see why it was in Google’s interest to continue to play Big Data Hoover and gobble up whatever information on individuals it could get. But what sexual favors were exchanged to get Ascension execs to so flagrantly violate the law and their ethical obligations to patients and doctors?
Oh, and aside from the Journal’s own account, which Google and Ascension do not appear to have disputed, the whistleblower has created his own little video with screenshots and commentary on project documents. You can infer that the whistleblower is from Ascension. I can’t get the audio in any of my browsers, but the visuals were enough:
I urge you to watch it in its entirety but here are a few screenshots which clearly demonstrate that Google’s scheme is fundamentally at odds with even America’s not terribly robust patient privacy rules:
Let us underscore: Google monetizing patient data is an absolute no-no. The drafters of HIPAA could never have imagined the horrors that Google would love to inflict on patients, like developing profiles so they can later bombard them with ads targeted to their specific healthcare issues. But you can bet this is exactly the sort of thing they would not tolerate.
The video articulates other concerns, that naked individual patient data has never been stored on the cloud due to security risks and is already being done here, including with patient names and links to test results,1 The Guardian made clear that in Google’s other, smaller medical data projects, the medical data was encrypted, and only the health care organization possessed the keys. Even in supposedly backwards Alabama, e-mailed medical images and test data must be encrypted.
To confirm the almost certainly illegal intent:
The video later describes one Google end product that it intends to build based on Ascension data: “Google Health Search”. Again, HIPAA is clear: “business associate” use of patient data for its own fun and profit is verboten. Worse, the example from Google shows that users input patient names and first see close matches. Anyone authorized to use the system can poke around and look at data not just for the sought-after patient at issue, but clearly the close matches…which strongly suggests anyone who can use this tool can rummage around widely, if not freely, in patient data records. We saw how NSA employees spied on lovers. What is to prevent employees from making malicious personal use of access to this information?
The slideshow also shows the locations where patient data has already been tossed over to Google. Are you a victim?
This is not encouraging:
Nor is this:
Even without the benefit of the ugly details from the Guardian and the whistleblower documents, knowledgeable Wall Street Journal readers were if anything more agitated than when the story broke. And the comments with almost no exception voiced distrust and contempt of Google. For instance:
Flat out against HIPAA rules.
HIPAA provides for sharing of data that benefits the patient, not the health care provider. Obviously it would be easier to store the information on the cloud (unencrypted, so everyone could get at it) but in this case, the data sharing with a partner does not improve the lot of the patients health nor well-being.
It could of course improve the provider – but so could Google bribing them.
My wife and daughter work for a major hospital and they are told constantly how limited they are by HIPAA in what they can say to patients and family members.
This legality interpretation was made by a self interested party.
And they aren’t the only ones unhappy about Google getting its hands on patient data:
Google has secretly mined the health records of tens of millions of Americans to drive up costs to patients. Blatant disregard for privacy, public well-being, & basic norms is now core to Google’s business model. This abuse is beyond shameful. https://t.co/BO41AHyfDa
— Richard Blumenthal (@SenBlumenthal) November 12, 2019
Google & Ascension are collecting millions of patients’ private health data w/out their knowledge. They’re using this data to order more tests and send more bills. Technology should lower costs and help patients, not to find new ways to charge them more.https://t.co/EddxtoFtsi
— U.S. Senator Bill Cassidy, M.D. (@SenBillCassidy) November 12, 2019
Why Skepticism Is Well Warranted
On Twitter and in some comments, once in a while, someone says it would be really nice to have patient records all in one place and Google looks like just the kind of company to do that.
This is deeply wrongheaded thinking.
First, what about taking some personal responsibility and getting copies of your records? How hard it is to get and keep copies of test results? Admittedly, some hospitals are reported to be uncooperative, but even they knuckle under when pushed. One possible upside of this Google abuse is it could fuel a push for hospitals and other medical providers to provide records, not just on request, but as a default, in electronic form (not electronic health records, which would require specialized software to access them, but machine readable PDFs).
Second, there is no reason to think Google will be good at this task. Google is good at advertising. It would probably be good at developing algos to help medical providers upcode, as in charge even more and thus increase medical cost inflation. It would also be good at selling patient data to third parties, as well as scamming.
There is no reason to think Google will be all that good at visualization of medical data, which seems to be a capability it is hyping in its Ascension documents, or more important, that visualization will improve patient outcomes. I hope to get an expert on medical information to weigh in, but Google’s ambitions sound awfully reminiscent of the way Excel visualizations make people stupider or the way people in Corporate America have come to regard spreadsheets as being more real than the scenarios they are attempting to capture. [A cynic might conclude that some developer got their visualization library written into the project requirements. –lambert] A lot of the time it is much better to look at data as data.
Third, and the most important, electronic health records and AI have for decades never lived up to their promise, not even close. If anything, the creation of EHRs has actually led to even more inaccurate patient records.
In other words, Google is embarking on a massive garbage in, garbage out project. Even if it could overcome the ginormous hurdle of combining patient from very diverse original sources (merely correctly identifying unique patients and gathering their data is really hard; banks and retailers struggled with that for a decade and a half and they had SSNs) and getting them into one format, the underlying data is often bad and Google is in no position to clean it up.
First and foremost, the focus of this “project” is the hackneyed cybernetic miracle we’ve been promised for decades, the “Artificial Intelligence” that will “revolutionize” medicine.
I view this concept as massively over-hyped and likely fraudulent, an effort to salvage the very same promises made of the entire EMR project on which has been spent hundreds of billions of dollars (more likely beyond the trillion range by now), while waiting for Godot.
Those monies could have been better used to provide world-class healthcare for an entire population, especially considering the lack of evidence of the miracles promised.
CMS [per embedded document at the end of the post]: “We do not have any information that supports or refutes claims that a broader adoption of EHRs can save lives.”
I have already written that the entire national EMR project is a mass human-subjects experiment without informed consent that can maim or kill patients in many different ways, including clinician distraction and IT error, among others. I also note that as I’ve been involved in litigation support over the past decade, I’ve been exposed to what really happens without the filter of the press and the IT industry. (The verdict in the last case in which I testified about Bad Health IT, for example, went to the deceased plaintiff’s heirs – amounting to more than $16 million; others were in a lower but still multi-million dollar range. Yet, you likely will never read about these in the HIT literature)….
This new development would represent an invitation to massive deliberate or inadvertent abuse, and is likely a massive violation of the HIPAA Privacy Act, despite claims to the contrary.
Just hours after the secret project was revealed, the two companies announced the collaboration in a press release, in which they said the joint project would see Ascension’s data moved onto Google’s Cloud platform.
The statement said the joint project aims to “optimize the health and wellness of individuals and communities and deliver a comprehensive portfolio of digital capabilities that enhance the experienceof Ascension consumers, patients, and clinical providers across the continuum of care.”
More cybernetic miracles promised for the true believers, expressed in the typical IT-magic phraseology. Plenty of profits, too.
Eduardo Conrado, Executive Vice President of Strategy and Innovations at Ascension, said: “As the healthcare environment continues to rapidly evolve, we must transform to better meet the needs and expectations of those we serve as well as our own caregivers and healthcare providers.
The “transformations” needed are to scale back the IT and the bureaucracy that burdens good clinicians and consumes massive amounts of $, and the reduction of waste on worse-than-useless Bad Health IT (http://cci.drexel.edu/faculty/ssilverstein/cases/):
Bad Health ITis IT that is ill-suited to purpose, hard to use, unreliable, loses data or provides incorrect data, is difficult and/or prohibitively expensive to customize to the needs of different medical specialists and subspecialists, causes cognitive overload, slows rather than facilitates users, lacks appropriate alerts, creates the need for hypervigilance (i.e., towards avoiding IT-related mishaps) that increases stress, is lacking in security, compromises patient privacy, lacks evidentiary soundness or otherwise demonstrates suboptimal design and/or implementation.
More corporate mumbo-jumbo:
“Doing that will require the programmatic integrationof new care modelsdelivered through the digital platforms, applications, and services that are part of the everyday experienceof those we serve.”
The partnership will also explore artificial intelligenceand machine learningapplications to help improve clinical quality, and effectiveness, patient safetyand increase consumer and provider satisfaction, according to the statement.
The data collected by today’s EMRs is subject to inaccuracy for multiple reasons mentioned at this blog, including perverse incentives, clinician harassment and cognitive overload, time limitations, forced entry of some data to move further on in the record, and others. Further, the Bad Health IT systems used to collect and display it exposes patients to risk and injury. “AI” will not solve these “issues.”
Tariq Shaukat, President of Google Cloud, added: “Ascension is a leader at increasing patient access to care across all regions and backgrounds, particularly those in disadvantaged communities. We’re proud to partner with them on their digital transformation.
“Digital transformation” is, quite frankly, the same BS as “IT revolutionizing healthcare” that I’d heard since at least the mid-1990s …
More billions of dollars are to be transferred from patient care to the IT industry.
These $ could be far better spent, IMHO, on care delivery, including to the disadvantaged and minorities, and in rethinking the current health IT morass. …
I have passed the newly-released articles on this matter to attorneys with access to the national trial lawyers’ listservs, where the merits of “Project Nightingale” can be considered from the perspective of non-toothless patient’s rights advocates.
I believe invasive healthcare data trafficking projects like this, with potential for massive abuses, provide reasonable justification for patients to REFUSE the use of EHR’s in their care. Paper works just fine. In fact, when the IT goes down, it’s what hospitals and doctors go right back to, and the PR always claims that “patient care was not compromised.”
As Lambert summed it up:
Holy crap, Google is going to merge private medical data records with its existing data and sell ads off it.
1) Putting technical issues like merging is hard because data is bad aside….
2) Google apparently thinks its data is good enough so that they CAN or more plausibly CLAIM THEY CAN can target INDIVIDUAL searchers with INDIVIDUAL medical records. I mean, isn’t that what the words say?
3) which is so evil I can’t even. You go in for a cancer test, so Google targets you at work with cancer ads, and your work sells your browser data to a data broker and the data broker sells it to a health insurance company which then fucks your policy up so when you get a diagnosis you end up going bankrupt and all because you did the right thing to begin with and got tested.
Leave it to Google to automate adverse selection!
Basic idea is that whatever you do at your doctor’s bleeds through to your browser on any page that Google helps build.
The only upside of this sorry situation is that Google and Ascension have gone so far over the line that there’s a good chance that their overreach will elicit a tightening of laws guaranteeing patient privacy and control over their medical records.
1 While it is difficult to prove a negative, the whistleblower’s claim seems likely to be accurate, that no large health care organization puts naked patient data in the cloud.