A data-sharing project between Google and Ascension health system raises questions about HIPAA compliance. HHS’s Office for Civil Rights is investigating.
- Project Nightingale uses patient data to search for improvement in care, and to identify deviations.
- Patients were not notified that their data were to be shared with Google.
- Google signed a business association agreement with the health system.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is investigating a huge data-sharing project between Google and Ascension, one of the country’s largest nonprofit health systems, in a case that analysts say highlights the uncertainties of exactly what is and is not allowed under HIPAA.
HHS Director Roger Severino announced that OCR is investigating “to learn more information about this mass collection of individuals’ medical records with respect to the implications for patient privacy under HIPAA.”
Google launched Project Nightingale in 2018 to analyze healthcare information from Ascension patients, including their diagnoses, lab results, and medications. The goal of the Google project is to develop best practices and new tools, and to identify deviations from standard care. Google has stated publicly that the data-sharing project is part of Google’s partnership with the St. Louis-based Ascension. The two companies also have stated that they are working to move Ascension’s on-premise data centers to Google’s cloud-computing system.
Both companies have issued statements saying Project Nightingale is HIPAA-compliant, even though Ascension patients were not notified because Google signed a business associate agreement with the health system. (The Ascension press release is available at: https://bwnews.pr/348II8P.)
Eduardo Conrado, Ascension’s executive vice president of strategy and innovations, wrote in a blog post that, “All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage. We have a business associate agreement (BAA) with Ascension, which governs access to protected health information (PHI) for the purpose of helping providers support patient care.
“This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care. To be clear: Under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.” (The blog post is available online at: http://bit.ly/2YJAa7p.)
Business Associate Boundaries?
The project raises questions about how patient information can be shared between a healthcare organization and a third party like Google, says Elizabeth Litten, JD, partner and HIPAA privacy and security officer with Fox Rothschild in Princeton, NJ.
A key issue is that Google appears to be using the information to develop a healthcare data analysis service rather than strictly acting as vendor performing data analysis for a client, she says.
“I think this really highlights the gray areas of HIPAA in that it stretches the boundaries of what a business associate is permitted to do with PHI under HIPAA. It’s one thing to provide services on behalf of the covered entity, but when the PHI is being used for Google’s own parallel efforts to sell its services to other covered entities, that pushes into a different realm.”
Litten also is curious if Ascension’s Notice of Privacy Practices adequately alerts patients to how Google might be using their PHI. She took particular notice of the statements from Google and Ascension stressing that they are not using the information for advertising. That is fine, she says, but it is just one of the ways that they should not be using the information.
“There often is the perception that if information is deidentified, then you’re fine, and the patient’s privacy is not going to be at risk. Even among healthcare attorneys, there is the misconception that the deidentification of the information for the business associate to be able to sell that information is all fine under HIPAA,” Litten says. “My view is that it is not appropriate.”
Deidentification is not always enough, Litten says, because an aggregate of enough data could make it possible to identify someone.
Public Reaction Matters
The Google/Ascension project is a large-scale example of the same principles that apply to any healthcare organization entering into a BAA with a vendor, says Matthew R. Fisher, JD, partner with Mirick O’Connell in Worcester, MA. The healthcare organization needs to be completely comfortable with knowledge that the vendor is complying with HIPAA and other potentially relevant regulatory requirements. Ascension must have performed due diligence in that regard, he says.
The situation also illustrates the need to anticipate the reaction of patients and the public to news of such a data-sharing project, he says. The Google/Ascension project requires the public to trust both large organizations will protect their privacy, and Google’s name carries some baggage, Fisher says.
“From an organizational risk management standpoint, it is important to get ahead of any public relations or communications impact of an arrangement like this, particularly when you’re talking about the sharing of patient data because people can be quite sensitive and skeptical about that,” Fisher says. “That seems to be one of the bigger issues that has arisen from the Google and Ascension project. They’re saying that they’re doing everything right, but everyone is just looking at the name Google, which they associate with internet searches, and assuming that the data are going to be misused.”
The trust factor and the public perception of a potential partner company should be considered when evaluating potential deals, Fisher says. Partnering with a company that the public sees as sketchy in terms of privacy could cause patients to shy away from using the healthcare organization, he says.
Could Affect Other Projects
Even for healthcare organizations not involved with Ascension or any similar project, there could be some blowback from publicity surrounding the project, Fisher says. Consumers may become aware that hospitals and health systems can share their patient information in this way, and fearful that it is happening without their knowledge or permission, he says.
“Any response to a question along those lines should be framed carefully, because HIPAA does allow for a lot of uses and disclosures of information that the individuals don’t know about,” Fisher explains. “Legally, there is nothing wrong with that, but if someone starts asking questions, you want to delicately respond by not saying anything untruthful but by explaining some of the benefits of that relationship. The goal should be to allay some of the concerns raised by individuals, not to dismiss them by simply saying you’re not violating any regulations.”
Fisher says it appears that Google and Ascension have taken the proper steps to share the patient data under the restrictions of HIPAA, but he is not surprised that OCR wants to take a closer look. The scale of the project and the public attention it has received likely prompted the OCR involvement, he says.
“Data-sharing is happening like this all the time, and there are a lot of vendors trying to gain access to a large swath of data. This type of arrangement is not surprising,” he says. “The names involved happened to draw greater interest and attention.”
Other health systems are likely to enter into similar arrangements with Google, Fisher says. Any entity considering such a relationship should be careful to conduct due diligence on the other party’s compliance with all privacy and security requirements, he says.
“They might want to include the ability to audit the compliance on an ongoing basis, and actually exercise that option to do an audit. I see that provision in a business associate agreement frequently, but when I talk to clients who are business associates they say they never get audited by the covered entity,” Fisher says. “Also, proactively consider what the public’s reaction might be if they hear about this relationship. It might be preferable to announce the establishment of that relationship so that the healthcare organization is controlling the story, rather than reacting when the public finds out through some other means.”