US regulations governing health data management are strict but full of gaps and parameters that are in most part obsolete at present. This is how Google and Ascension lawyers have found ample legislative maneuvering space to support their contracts. It may be plausible that Google, as a business partner of Ascension, can access patients' personal health data without their specific consent.
Made in collaboration with our partners from esanum.it
Project Nightingale, as the Google-Ascension agreement is called, will circulate the personal health information of millions of Ascension patients among Google employees. Does this not violate the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? Healthcare professionals often depict HIPAA as a rigid, and at times a meaningless piece of legislation that strongly inhibits them from sharing patient information among themselves and also with patients and their families.
Dianne Bourque, a lawyer at Mintz law firm specializing in health law, says that HIPAA, strict as it is, is also written to encourage improvements in the quality of healthcare. “If you're shocked that your entire medical record just went to a giant company like Google, it doesn’t make you feel better that it's reasonable under HIPAA...but it is," stated the lawyer. In fact, the data management activities Google will undertake for Ascension may well qualify as a strategy to meet Ascension's operational needs in order to improve the quality of its care. And within that framework, Google could be equated with a business partner. According to this interpretation, sharing patient data without patient consent may be legal under HIPAA.
Mark Rothstein, a bioethicist and public health law scholar at the University of Louisville, also says Google's services for Ascension could be seen as "quality improvement", falling within the legal boundary designed by HIPAA for business partners. But this does not clarify why the company would need to know the names and dates of birth of patients to achieve this. Instead, each patient could have been assigned a unique Ascension number so that they would remain anonymous for Google.
However, even if the agreement turns out to be technically legal, it raises important unresolved political issues. Legislators who created HIPAA could not anticipate the advent of the Internet as it is today, or the rise of data giants like Google and Apple, or the power of hackers that can penetrate the most secure data systems at will. It is one thing to share an archive of paper documents with an external entity. But it is another thing to send electronic versions of the data to a cloud where - despite the best efforts from third parties - they could be hacked from anywhere in the world. HIPAA is probably no longer enough to reassure patients that their electronic health data is adequately protected.
Another issue concerns the rights to commercial benefits that could arise from collaborations between healthcare organizations and IT companies. The profits will be derived from the personal health information of millions of patients who are likely to have no idea how their data has been used. Should they be given the opportunity to accept or deny consent to the commercial use of their data? Should they reap in some limited way the profits from the use of their (very personal) medical information?
These and other questions will have to be addressed to determine the individual and social benefits of the health information revolution, and the multiple conflicts of interest that undermine this important stage of modern medicine.
Access part 1 of this article here.
Barber G, Molteni M. Google Is Slurping Up Health Data—and It Looks Totally Legal. Wired. 11/11/2019 Blumenthal D. Why Google’s Move into Patient Information Is a Big Deal. Harvard Business Review. November 2019