In recent years, Google has been making increasingly aggressive forays into the lucrative U.S. healthcare sector, estimated by some to be worth $3.5 trillion annually. For example, Google recently announced plans for a $2.1 billion acquisition of Fitbit, which has 25 million active users. And now, after an anonymous whistleblower provided details online, the company is unveiling a once-secret health data partnership (codenamed “Project Nightingale”) with Ascension, the nation’s second-largest health system with over 2,600 hospitals and other medical care facilities scattered over nearly two dozen states. According to the whistleblower, Google is attempting to acquire access to over 50 million patient records in 21 different states, all without the consent of patients, doctors or other healthcare professionals.
Possible privacy violations involving health data
The big question, of course, is whether this Project Nightingale health data partnership between Google and Ascension involving tens of millions of patient records actually breaks any laws. According to the 1996 Health Insurance Portability and Accountability Act (HIPAA), there are very rigid guidelines in place as to how health data can be shared without the formal consent of patients. Any health data-sharing arrangement must be used specifically to improve the quality or scope of healthcare, and cannot be used for purely commercial purposes. Moreover, data cannot be shared with any third parties, such as potential advertisers or data brokers.
According to Google, the tech company has done nothing wrong when it comes to getting access to this health data. It says that it signed an “industry-standard agreement” with Ascension that confirms that the Silicon Valley tech giant will only use the health data to improve health outcomes for patients and to optimize the overall health system.
Yet, reporting from the Wall Street Journal and New York Times would seem to suggest that Google has something very different in mind, and that the company has somehow crossed a line by moving so much data to the Google Cloud. Many analysts, too, are rightly skeptical about what Google is planning to do with all that health data.
Dov Goldman, Director of Risk and Compliance at Panorays, commented on the potential implications: “Google and Ascension Health both stated that this initiative is designed specifically to improve healthcare. The armies of regulators, legislators and public interests scrutinizing Nightingale have thus far reported nothing illegal about the project. Nevertheless, we should be concerned. It’s reported that more than 150 Google staffers have access to data on millions of patients, and Google has other health information projects underway, such as the Fitbit fitness product line the web giant purchased recently. Only airtight privacy and information security controls will ensure that Nightingale data is truly safe within Google Cloud and used only for the stated purposes.”
Google’s ambitions in the healthcare sector
While the actual agreement between Google and the nonprofit healthcare provider Ascension might be HIPAA-compliant, it is not quite as clear that the digital tools and software used to import and export the data are HIPAA-compliant. Quite simply, once Google gets its hands on the health data, that’s when the company might begin to use the data in ways that were not originally intended. For example, Google has made no secret of its desire to “train” medical artificial intelligence (AI) systems with electronic health records, so would using health data in an AI or machine learning lab qualify as an HIPAA-compliant use of that health data?
Privacy advocates, too, make the case that Google has been carrying out much of this Project Nightingale in complete secrecy, so that obviously raises a few questions. The optics are very bad indeed if it took an anonymous whistleblower to do a full data dump on the Internet in order to get a major company to admit what it was doing. If everything were aboveboard and by the numbers, then why hide the fact that you are getting access to 50 million patient records? Why make the health data available to nearly 150 Google employees? And if the end goal is to improve patient outcomes for members of the nonprofit Ascension healthcare system, then why not inform patients in advance and obtain their prior consent?
Moreover, there is the whole matter of the comprehensive nature of the health data that Google is obtaining as part of the data-sharing deal. Based on what is known about the health data deal, Google will get access to what amounts to a complete medical history of nearly 50 million patients – including name, address, date of birth, medical conditions, lab records, and hospitalization history. With that type of medical data, Google can create a very detailed and complete profile of users, while also enabling it to take on Amazon and Apple in the healthcare space.
In a best-case scenario, of course, all of that health data will be used to help improve diagnostic and testing options available to physicians. In the past, for example, Google has launched AI projects designed to assess the risk of heart disease simply from an eye scan, and used health data sets to predict the risk of premature death. Thus, if Google does what it says it is going to do, there is a chance that fears of Google misusing or abusing the health data might be overblown.
Tim Erlin, VP, product management and strategy at cybersecurity firm Tripwire, commented on the potential privacy implications of Google getting involved with health data: “There’s no doubt that bigger repositories of sensitive data make bigger targets for attackers, so consumers have every right to be concerned about this move. As with all data driven efforts that require personal data to work, consumers have to weigh the benefits against the risks. Google is a company that’s fundamentally built on data, and healthcare is big business, so it’s hard not to see how this project makes sense.”
Why Google is collecting health data on millions of Americans
However, it’s also important to keep in mind the sketchy past history of Google when it comes to the use of personal data. From concerns that Google might be reading private email messages in order to serve up ads in Gmail, to concerns that Android phones are used to track Google users, the Silicon Valley tech giant doesn’t exactly have a stellar record when it comes to personal data and data privacy. Take, for example, the fact that Google didn’t even take steps to encrypt or “de-identify” the health data that it was receiving from Ascension. Moreover, leaked documents from the whistleblower suggest that the company was overriding privacy concerns raised by Ascension executives as to the ethics of the health data deal.
At the end of the day, concerns from individual patients about the Google health data deal might come down to a single question: Do you trust Google to be your doctor? Most people, if asked to answer that question, would probably say “no.” Do you really want Google to know which medications you are taking, or the intimate details of your health history? Understandably, the 50 million patients involved in this health data deal are probably none too pleased that Google has been secretly acquiring all of their personal health data and patient data, all without even asking for consent.
If Google really plans to become a major player in the healthcare sector, as its recently announced acquisition of Fitbit would seem to suggest, then it needs to get a much better handle on the rigorous and detailed standards that exist for health data in the United States. There is a fundamentally different privacy standard to follow if you are cataloging personal search history, versus if you are collecting and monitoring sensitive health data on millions of Americans.