Update: The Google/Ascension project is now being investigated by the Office for Civil Rights in the Department of Health and Human Services, the Wall Street Journal reported in an update last night. The office said it "will seek to learn more information about this mass collection of individuals' medical records to ensure that HIPAA protections were fully implemented." Google said it is "happy to cooperate with any questions about the project," and that "We believe Googles work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and comes with strict guidance on data privacy, security, and usage."
Original story from November 12, 2019 follows:
Google now has access to detailed medical records on tens of millions of Americans, but the company promises it won't mix that medical data with any of the other data Google collects on consumers who use its services.
Google provided this statement yesterday shortly after The Wall Street Journal reported that Google is partnering with Ascension, the country's second-largest health care system, "on a project to collect and crunch the detailed personal-health information of millions of people across 21 states."
"To be clear: under this arrangement, Ascension's data cannot be used for any other purpose than for providing these services we're offering under the agreement, and patient data cannot and will not be combined with any Google consumer data," Google said in a blog post. That would mean Google won't use the medical data to target advertisements at users of Google services.
Google also said that its work with Ascension "adheres to industry-wide regulations (including HIPAA) regarding patient data, and come[s] with strict guidance on data privacy, security, and usage."
"We have a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care," Google said. "This is standard practice in health care, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care."
What can Google see? Pretty much everything
Patient data shared with Google includes names, birth dates, addresses, family members, allergies, immunizations, radiology scans, hospitalization records, lab tests, medications, medical conditions, "and some billing claims and other clinical records," according to a followup article in the Journal. The partnership "covers the personal health records of around 50 million patients of Ascension," the Journal wrote.
The Journal said that "Neither doctors nor patients have been formally notified of the arrangement" and that Google and Ascension began the project "in secret last year."
Google seems to be correct that the partnership doesn't violate HIPAA (the Health Insurance Portability and Accountability Act). As the Journal noted, that law "generally allows hospitals to share data with business partners without telling patients, as long as the information is used 'only to help the covered entity carry out its health care functions.'" An expert quoted by the Journal noted that Google would be at risk of violating the law "if it uses the health data to perform independent research outside the direct scope of patient care."
Ascension is not paying Google for these services, the Journal wrote, but Google's work with Ascension could lead to profitable ventures. Google is using Ascension's patient data "in part to design new software, underpinned by advanced artificial intelligence and machine learning, that zeroes in on individual patients to suggest changes to their care," the Journal wrote. Google could sell this software to other health care institutions. As part of the project, "Staffers across Alphabet Inc., Google's parent, have access to the patient information, internal documents show,&quRead More – Source