Google’s Nightingale Health Record Project Legal Under HIPAA, but Privacy Concerns Mount

March 4, 2020

For Google and Ascension Health, the second-largest U.S. healthcare system, in the news over patient data sharing privacy and security concerns, the day of reckoning may have come as some are asking whether the 1996 HIPAA law governing the sharing and security of protected patient data needs a congressional overhaul.

In mid-November, the federal Office of Civil Rights in Health and Human Services (HHS) announced an investigation into the Google–Ascension Nightingale Project prompted by a bipartisan congressional request. In the eight months since Nightingale launched, Ascension has shared an estimated 50 million patient files from 21 states with Google. The two behemoth organizations signed a standard agreement permitted under HIPAA. By all accounts, the deal is legal, but it is alarming to the patient data privacy quarter.

In the pursuit of electronic patient medical record interoperability, hospitals, physicians, clinics, pharmacies, and other providers have for nearly two decades sweated through workable strategies to share direct patient care records. The long-held goal of moving medical economics from fee-for-service (individual episodes of care) to whole-person care (value-based care) relies on efficient, secure patient record data sharing. Such strategies can even incorporate social service Social Determinants of Health (SDoH) factors that research shows can influence up to 90 percent of a person’s health.

As this standard is realized, this vast trove of data is in demand for secondary applications. Both healthcare providers and analytic companies, ranging from small artificial intelligence (AI) start-ups to giants like Google, IBM Watson, and Amazon, are keen to use the data. A wide range of applications is in play with such secondary data applications. This includes everything from sharing the data to develop AI applications to spot breast cancer lesions sooner than can be seen with the human eye, to the creation of aggregated machine learning for care management and personalized health recommendations. Such a purpose has always envisioned from the outset of HIPAA enactment.

The Perils of Hacking, Consent, and Patient Identifiers

However, alarm over the Nightingale project comes from several different fronts. First, medical record hacking and ransomware is a problem. In the first half of 2019, for example, the number of patient medical files almost doubled from 2018 to 32 million records, according to the site Health IT Security.

The second issue, as pointed out by the internal Google whistleblower who called attention to Nightingale in a November 14 article in The Guardian, is that patients did not give their specific consent for the use of their data in the project. However, HIPAA allows such research use, albeit under vaguely-worded parameters, according to privacy critics. The Google whistleblower also faulted the project because the voluminous patient data is not “de-identified,” or scrubbed, of specific patient information for use on an aggregated basis. By comparison, IBM offers a patient record database of 250,000 million patients, which the company promotes as de-identified.

Google and Ascension maintain that their agreement provides the expected and proper security for patient data. Ascension said the agreement prevents Google from using the protected health data for any other purpose than developing population health and analytics software to analyze health information in aggregate to aid doctors and nurses in population health (whole-person care). Ascension has also added a privacy compliance officer to oversee the project with Google. However, the Google whistleblower, along with unnamed Ascension employees, have expressed concern about HIPAA compliance in the Nightingale project. Google cites its track record in complying with other HIPAA-governed projects.

Time to Revisit HIPAA?

With hospitals, clinics, pharmacy, physicians, and other providers now reliably sharing—although effectiveness is not yet universal—it may be time to update HIPAA.

“HIPAA was crafted many decades ago now, and it’s probably time for it to be updated for the current world,” said Dan Nigrin, SVP and CIO at Boston Children’s Hospital at the recent U.S. News & World Report’s Healthcare of Tomorrow conference. “The safeguards provided for in HIPAA probably lack specific granularity and detail for the instances like the one we just saw unfold before us (Google/Ascension).”

The Nightingale Project controversy is arguably related to the fact that large tech companies have a “checkered past” with consumer data and trust, according to the site Healthcare Dive. Examples range the Facebook Cambridge Data Analytics breach in the 2016 presidential election to the routine use of consumer data to target advertising on Google. The Google whistleblowers also pointed out that the Ascension data is being stored on the cloud, citing the 2013 Target cloud hack.

Combine these concerns with the reality that in 49 of 50 states, health data is legally owned by the entity that collects it, and it’s not a stretch to understand why the issues of patient data sharing have garnered the attention of patient privacy advocates and Congress.

“Right now, we don’t have very good national standards, or even international standards, around data sharing and privacy,” Maia Hightower, chief medical information officer at University of Utah Health, said at Healthcare Dive, noting the University of Utah is currently retooling its ethics guidelines and processes, adding “there’s no Big Bang solution.”

For now, the standard business associate agreement (BAA) between Ascension and Google meets the letter of the HIPAA law. Such a BAA allows protected information to be transferred from a health system to a business partner such as Google. While there are concerns about the partnership, which CNBC called “a privacy flap,” according to the news outlook at this point “… it’s not clear that the deal represents a major privacy risk.” How the issues related to privacy in the current age are handled, and whether HIPAA will get the overhaul that some feel it needs, will be worth watching going forward.