The HHS Office for Civil Rights is investigating whether Google met HIPAA requirements when it pulled together millions of patient records when working with the Ascension health system.
According to a piece appearing in STAT News, Google’s “Project Nightingale” initiative focuses on analyzing personal health information in an effort to find ways to personalize the delivery of medical treatment.
While the analytics process is not in and of itself an issue, critics apparently believe patients and physicians were not informed about the project. This notion has upset many observers who haven’t made a peep about other large data accumulation efforts. (For example, check out the ongoing data accumulation work underway at Cerner and Epic.)
When asked by STAT what triggered its inquiry, an OCR spokesperson told the publication that the agency “would like to learn more information about this mass collection of individuals’ medical records with respect to the implications for patient privacy under HIPAA.” (Translation: We’re not sure what’s going on here, but we’re not thrilled by what we see.)
Part of the media firestorm which has now arisen around the project since the investigation story broke in the Wall Street Journal seems to stem from the notion that Google and/or Ascension have been keeping the effort under wraps. Apparently, some reports have even suggested that the name Project Nightingale was some sort of super-spy codeword intended to keep the project secret.
Ascension leaders vigorously dispute this. In a statement addressing the project, Ascension EVP of strategy and innovation Eduardo Conrado said its work with Google on the project was “anything but secret.” He reports that acute care administrative and clinical leaders across the company have been informed of the work, including clinical leaders of its employed physicians group. Conrado also said that front-line nurses and clinicians have participated in the project actively.
According to Conrado, the health system’s broad goal in working on Project Nightingale is to address industry health data interoperability challenges, “The work we’re doing includes developing new technologies that enable our clinicians to find important clinical information [more easily],” he said in the statement. In other words, it’s on the same road virtually all of its peers are traveling.
Google, in its comments on the furor, says it is following all relevant regulations governing patient data privacy, security and usage under its Business Associate Agreement with Ascension. It also points out that its work with Ascension is similar to that which its Cloud division does with dozens of other providers and researchers, including the Cleveland Clinic and the American Cancer Society.
Look, let’s be honest here. There are many existing and soon-to-launch projects structured not unlike what Ascension’s doing with the big G, the key difference being that they don’t have Google’s extraordinarily high-profile name attached to them. If the feds are targeting Google, it’s partly because of who they are rather than what they’re doing, and of course, partly because the WSJ got involved.
That being said, if you have to take a look at how health data accumulation and analysis should be handled, Google is a nice practical place to start. While the horse is miles out of the barn door where Google’s collection of other types of personal data is concerned, it may not be too late to take a hard look at how it works with health data. Arguably, it’s a shame for Ascension that it got caught up in a Google-related kerfuffle, but if it is indeed following HIPAA rules I think it will come out unscathed.