Jessica Kim Cohen November
13, 2019
A federal
regulator will probe a massive data project between Google and Ascension that
involved sharing health data from millions of patients.
HHS' Office for
Civil Rights, the federal agency that enforces HIPAA, would "like to learn
more information about this mass collection of individuals' medical records
with respect to the implications for patient privacy under HIPAA," agency
director Roger Severino said in a statement.
The federal probe
concerns a project that Google launched last year, internally referred to as
"Project Nightingale," which involves analyzing health data from
patients who received care at St. Louis-based Ascension, one of the nation's
largest health systems. Data reportedly includes patients' lab results,
medications and diagnoses.
Project
Nightingale's intended goal is to use Google's artificial intelligence tools to
recommend changes to a patient's care, such as different treatment plans,
diagnostic tests or additional physicians, as well as to flag unexpected
deviations in the patient's care.
The project is
still in a pilot phase, according to Google. It's also just one part of
Google's partnership with Ascension, which also involves a commercial contract
to move Ascension's on-premise data centers to Google's cloud-computing system.
Google has struck
similar partnerships with the health systems of Stanford University, the
University of Chicago and the University of California at San Francisco. But
Google appears to be sharing more information through Project Nightingale,
according to the Wall Street Journal,
which first reported on Project Nightingale Monday after reviewing internal
documents.
Ascension
patients were not notified about the partnership with Google, according to the
Wall Street Journal. But Google and Ascension have maintained that the project
complies with HIPAA, as Google signed a business associate agreement with the
health system. That ensures patient data can only be used for services outlined
in the agreement.
Under HIPAA, a
health system can share data with a business partner if that information is
used "only to help the covered entity carry out its healthcare
functions—not for the business associate's independent use or purposes," according to HHS.
"We are
happy to cooperate with any questions about the project," Tariq Shaukat,
Google Cloud's president of industry products and solutions, wrote in a blog post. "We
believe Google's work with Ascension adheres to industry-wide regulations
(including HIPAA) regarding patient data, and comes with strict guidance on
data privacy, security and usage."
Any patient data
shared with Google is "for the purpose of helping our providers support
patient care," Eduardo Conrado, Ascension's executive vice president of
strategy and innovations, wrote in a blog post. That data is
separate from Google's consumer data, and, under their agreement, Google isn't
permitted to use it for marketing purposes.
"This is
standard practice in healthcare, as patient data is frequently managed in
electronic systems that nurses and doctors widely use to deliver patient
care," Conrado wrote.
This isn't the
first time Google's work with healthcare providers has been questioned.
This summer a former UChicago Medicine patient
sued the health system over its sharing thousands of medical records with
Google for a research project on predicting patient outcomes, claiming that the
health system had not properly de-identified patient information. Google and
UChicago Medicine have maintained that they followed regulations, including
HIPAA.
No comments:
Post a Comment