The fuss all started with a report from the WSJ early last week.
Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans
Search giant is amassing health records from Ascension facilities in 21 states; patients not yet informed
By Rob Copeland
Updated Nov. 11, 2019 4:27 pm ET
Google is engaged with one of the country’s largest health-care systems to collect and crunch the detailed personal health information of millions of Americans across 21 states.
The initiative, code-named “Project Nightingale,” appears to be the biggest in a series of efforts by Silicon Valley giants to gain access to personal health data and establish a toehold in the massive health-care industry. Amazon.com Inc., Apple Inc. and Microsoft Corp. are also aggressively pushing into health care, though they haven’t yet struck deals of this scope.
Google began Project Nightingale in secret last year with St. Louis-based Ascension, the second-largest health system in the U.S., with the data sharing accelerating since summer, according to internal documents.
The data involved in the initiative encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.
Here is the link:
Use this link to find out about Ascension which is the largest Catholic Healthcare provider in the US.
Things moved along quite quickly so this was being reported 48 hrs later.
Project Nightingale seems to square with HIPAA, but next steps matter
While Google apparently signed a business associate agreement with Ascension, and the scope of the data sharing appears to be in line with HIPAA allowances, there are still many questions about how the patient information is being put to use.
By Nathan Eddy
November 13, 2019 02:24 PM
The health data sharing collaboration between Google and Ascension has raised some big concerns nationwide – starting with some employees at Ascension – about what the initiative could mean for patient privacy.
The so-called "Project Nightingale," overall does appear to meet HIPAA compliance standards, based on Google's and Ascension's own statements and what has been reported so far by The Wall Street Journal and others.
But the news that Google – which makes its money off data-based advertising and has long been the subject of privacy concerns – would have access to protected health information has understandably raised some alarms across an industry where privacy and security are meant to be paramount. (The partnership has now led to a new federal inquiry.)
CNBC reported that, while Ascension and Google did sign a business associate agreement, as required by HIPAA, "some Ascension employees were concerned that some tools that Google is using to import and export data were not compliant with HIPAA privacy standards."
As Ray Ray D'Onofrio, principal data analyst at technology consultants SPR explains, "development tools such as Google Data Studio can be problematic with HIPAA compliance, features such as logging of data changes, access controls for data viewing and screen locks are often not native."
However, "tactical HIPAA compliance is a bit of a red herring," he said. "It is the spirit of HIPAA that should be question – is data acquired and use of the data specifically providing value to the patient?"
In a blog post, Tariq Shaukat, president, industry products and solutions at Google Cloud, said the company has a BAA with Ascension, governing the use of PHI "for the purpose of helping providers support patient care."
More here:
Already we have inquiries launched and Congress expressing concern as to what it all means.
Google quickly came back and said it was all above board:
Google denies it’s misusing health data as HHS starts inquiry
November 13, 2019, 3:49 p.m. EST
Google’s top health and cloud executives said the company isn’t misusing health data from one of the biggest U.S. healthcare providers, pushing back against news reports that have triggered criticism from lawmakers and prompted a federal inquiry.
Google employees only have access to patient information to build a new internal search tool for the Ascension hospital network, said David Feinberg, head of Google Health. No patient data is being used for Google’s artificial intelligence research, he added.
The Alphabet company’s contract is governed by U.S. health privacy law that permits it access to patient records solely for the task of organizing Ascension’s various health records systems and building a tool to make them easier to search, Feinberg said.
“That’s all we’re allowed to do and that’s all we are doing,” he said.
Google’s deal with Ascension has been under scrutiny since the Wall Street Journal reported on Monday that the company was collecting identifiable data on millions of Ascension patients and using it to build new products. On Tuesday, the paper reported that the Department of Health and Human Services’ Office for Civil Rights was starting an inquiry into the situation.
More here:
Detailed analysis is now starting to appear:
Why recent affiliations raise questions about use of data and HIPAA’s role
November 15, 2019, 3:43 p.m. EST
Privacy of health information is receiving a significant spotlight as a result of big technology companies moving into the healthcare industry.
While Amazon and Microsoft seem to slip past many headlines, Google is not in the same boat. Various arrangements between Google and systems including the Mayo Clinic, the University of Chicago and Ascension Health draw concern and fears of Google just taking multitudes of personal information about thousands or millions of individuals.
Is the use and obtaining of data inconsistent with regulatory requirements, or is there a permissible basis? Despite the most common statement being that Google is stepping around HIPAA, the most likely answer is that Google (and really many other technology based vendors) can receive the data as a business associate.
Google offers a good example in light of the still newly revealed work with Ascension. As confirmed by Google, Ascension is shifting its infrastructure to private environments maintained by Google, using Google productivity tools (the professional G-Suite is mostly HIPAA compliant), and extending tools designed to help improve clinical quality. Not unsurprisingly, one of the expected outcomes from these efforts is to enhance revenue, which means enabling Ascension to make more money.
More here:
There is rather more detailed analysis here:
Yes, Google's using your healthcare data – and it's not alone
There's a multi-billion dollar industry built around collecting healthcare data and anonymizing it so it can be used for research; it's perfectly legal.
Senior Reporter, Computerworld | Nov 15, 2019 9:49 am PST
Google is working with one of the largest healthcare systems in the U.S. to collect patient data on millions of Americans in 21 states and across 2,600 hospitals or clinics in order to analyze it and come up with advice for better patient care and cost cutting measures.
The project was reportedly revealed by a whistleblower who said the program, dubbed "Project Nightingale," involved Ascension – the largest Catholic health system in the world – and up to 50 million private medical records from healthcare providers.
It wasn't Google's only public controversy this week. Shortly after its deal with Ascension became public, The Washington Post reported that the National Institutes of Health (NIH) stopped the tech giant from posting more than 100,000 human chest x-rays.
Although the x-rays were part of a 2017 joint project with the NIH, the government agency discovered some of the images contained personally identifiable information of patients.
As for its deal with Ascension, Google said it had revealed plans to use its cloud data analytics to cull information from Ascension's patient data during a Q2 earnings call in July, though "Project Nightingale" was never mentioned during that call. "We announced 'Google Cloud's AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes,'" Google Cloud President Tariq Shaukat said in a blog post.
"Our work with Ascension is exactly that – a business arrangement to help a provider with the latest technology, similar to the work we do with dozens of other healthcare providers, Shaukat wrote. The list of care providers and healthcare records tech companies includes the Cleveland Clinic, the American Cancer Society, McKesson and Athena.
Shaukat said Google has a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care.
"This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care," Shaukat said.
No matter how well intentioned the project's overseers say it is, the collection of private medical data has raised the ire of patients and lawmakers who have called for a federal inquiry into the practice.
The Office for Civil Rights in the Department of Health and Human Services "will seek to learn more information about this mass collection of individuals' medical records to ensure that HIPAA protections were fully implemented," the office's director, Roger Severino, said in a statement.
Third parties compiling patient data is not only common among healthcare providers and analytics tech firms, it's perfectly legal – as long as patients have given consent by signing a common HIPAA form. And, wittingly or not, most have done so, according to Cynthia Burghard, a research director at IDC.
"Databases of this size are not uncommon," Burghard said. "On face value, I don't see an issue. They [Google] signed the HIPAA compliant document for business associate arrangements. So, they complied with the law there. When you go to a healthcare provider's office as a patient, you sign a HIPAA release form, which allows the institutions to use your data for medical research or improved care management; so there is patient consent there.
"That said, long term can you trust Google or any high-tech company ... who's used to monetizing assets to not do something bad?" Burghard said.
Many healthcare providers are storing patient data for analytics purposes in a cloud somewhere, whether it's Amazon Web Services, Microsoft's Azure or Google Cloud.
In September, controversy around patient privacy erupted when Google acquired the health division of London-based AI firm DeepMind, which built a healthcare app used to give clinicians at National Health Service [NHS] hospitals easy access to medical records. DeepMind's Streams app was already controversial after a UK privacy watchdog found the NHS had illegally handed 1.6 million patient records to DeepMind as part of a trial.
Last year, Amazon, JPMorgan and Berkshire formed a partnership to create a private healthcare company aimed at lowering the cost of care.
According to Adam Tanner, author of the book "Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records," businesses that have nothing to do with medical treatment are allowed to buy and sell healthcare data, provided they remove certain fields of information, including birth date, name and Social Security number.
More here:
What to make of all this?
It seems to me, with Google, Amazon and Apple all keen on gathering as much individual patient information as possible that there must be some pretty well developed plans to monetise what has been gathered in some way or other. Just how that is to happen is not totally obvious to me – but I am sure it will emerge over time. Possibilities I can think of include use of the data to assist in various strategies to better direct care where it is needed, monitoring and reducing waste, providing predictive recommendations for preventive care and so on.
The intent of all this presumably is to reduce the overall cost of the total healthcare system and to improve the sustainability / profitability of the health systems using such technology.
The risks are clearly based around breaches of security and privacy of the individual information and presumably additionally allowing those involved to withdraw their data should they choose.
What do you think the companies are up to and, more importantly I suspect, do you think the efforts will pay off?
David.
2 comments:
First of all, they are getting patient personal data for free, and fully intend to monetise it to add to their already vast profit margins. Secondly, they seem to believe they can use the data this without getting specific consent or even disclosing publicly that they are doing it, or what they are doing with it. Google got into a lot of trouble in the UK, so you would think they might learn a lesson - apparently not. The intent of HIPAA privacy controls are quite strict, but not in Google's view. Inevitably, Google will somehow find a way to cross reference the data with their existing substantial databases on customers, and reduce any chance for consumer privacy yet further. And what happens when the database is breached by hackers ?
They have a long-standing and misguided friend now overseeing the MyHR. And let us not forget the ADHA bullish approach to My Health Record is straight out of the UK’s disastrous version (care.data).
Where is the evidence of vale? Where is there any evidence of a social license
Post a Comment