A partnership between Ascension and Google has sparked public pushback and a federal probe into whether the companies followed federal privacy laws before releasing patient data. But healthcare experts say the reaction to the deal likely has less to do with Ascension sharing patient data, and more to do with the partner they chose.
“The truth of the matter is patient data gets used by the healthcare institutions that they have visited—often,” said Michael Abrams, managing partner at healthcare consultancy Numerof & Associates.
The deal is a “giant nothingburger,” said Niall Brennan, CEO of the Health Care Cost Institute and former chief data officer at the CMS, on Twitter after the news was first reported by the Wall Street Journal Monday.
“This type of health information data exchange occurs thousands, tens of thousands, millions of times, all day, every day, across the healthcare system,” Brennan said in an interview. For Brennan, the partnership with Google is no different than a healthcare provider sharing patient data with a technology vendor like IBM or Optum, which are both active in the industry.
Still, the reaction to the Ascension/Google partnership should serve as a warning for health systems, which are increasingly looking to partner with technology companies—many of whom haven’t been traditional healthcare players—for analytics and cloud computing services that help manage and make sense of their data.
“The reaction illustrates the seething mistrust that many Americans have with big tech’s track record for their personal privacy,” Brennan said. “I think that set off a lot of alarm bells with people.”
Google has had a messy history with data privacy in the consumer world. The tech giant in September agreed to pay a record $170 million fine to settle allegations by the Federal Trade Commission and the New York Attorney General that its subsidiary, YouTube, had illegally collected data from children without their parents’ consent to sell ads.
The company last year announced plans to shut down its social network, Google+, after discovering a bug had exposed data on hundreds of thousands of users’ profiles.
“The amount of ink that missteps by Facebook, Google and others have gotten, the investigations, and so on, that we’ve had in the last few months have really raised the profile of this kind of event,” Abrams said. “It raises concerns, but I’m not sure there’s anything legitimate here to be concerned about.”
Google’s healthcare ambitions
This isn’t Google’s first partnership that involves sharing patient data, and it isn’t the first time the company’s work with healthcare providers has been questioned.
Mayo Clinic in Rochester, Minn., in September announced a 10-year partnership with Google, under which the health system would move clinical data to Google’s cloud. And Google has struck research partnerships with the health systems of Stanford University, the University of Chicago and the University of California at San Francisco.
This summer a former UChicago Medicine patient sued the health system over its sharing thousands of medical records with Google for a research project, claiming that the health system had not properly de-identified patient information. Google and UChicago Medicine have maintained that they followed regulations, including HIPAA, and UChicago Medicine has filed a motion asking the court to dismiss the case.
One area of concern over Google’s partnership with Ascension is that the health system is reportedly sharing personally identifiable information including names and dates of birth, alongside lab results, medications and diagnoses, the Wall Street Journal reported. That would be health data from millions of patients, as St. Louis-based Ascension is one of the nation’s largest health systems, spanning 2,600 care sites across 20 states and Washington, D.C.
But Google’s partnership with Ascension, unlike its research work with health systems like UChicago Medicine, is largely a commercial contract for cloud services.
Ascension and Google launched the collaboration in question, internally referred to as “Project Nightingale,” last year. It involves a contract to move Ascension’s patient data from on-premise data centers to Google’s cloud-computing system, as well as pulling clinical data from separate systems together, so clinicians can view information in one consolidated place. Ascension said they are also in early alpha testing of a user interface that would sit on top of that data, which would allow clinicians to more easily search for specific patient records and search for details within a record.
Projects like these are “critical to our efforts to move from fee-for-service to fee-for-value,” Joseph Impicciche, Ascension’s CEO, wrote in an email sent to employees on Tuesday and exclusively acquired by Modern Healthcare. Improving healthcare practices for patients and clinicians will “require the integration of new care models delivered through digital platforms, applications and data,” he wrote.
A component of the partnership that drew significant public interest in the Wall Street Journal’s reporting involved an effort to analyze health data from patients who received care at Ascension, in an effort to develop a system that would recommend changes to a patient’s care, such as different treatment plans, diagnostic tests or additional physicians, as well as to flag unexpected deviations in the patient’s care.
Ascension’s partnership with Google doesn’t include any system to suggest care changes, an Ascension spokesperson said.
The HIPAA question
Ascension and Google have maintained that their work complies with HIPAA, as Google signed a business associate agreement with the health system.
“Any exchange of (protected health information) in connection with this work is for the purpose of helping our providers support patient care,” Eduardo Conrado, Ascension’s executive vice president of strategy and innovations, wrote in a blog post. “This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care.”
That’s what the HHS’ Office for Civil Rights, the federal agency that enforces HIPAA, plans to investigate as part of its probe into the partnership.
The OCR “would like to learn more information about this mass collection of individuals’ medical records with respect to the implications for patient privacy under HIPAA,” agency director Roger Severino said in a statement Wednesday.
“We are happy to cooperate with any questions about the project,” Tariq Shaukat, Google Cloud’s president of industry products and solutions, wrote in a blog post. “We believe Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and comes with strict guidance on data privacy, security and usage.”
A federal probe doesn’t suggest wrong-doing, said Lucia Savage, chief privacy and regulatory officer at digital therapeutics company Omada Health and former chief privacy officer at HHS’ Office of the National Coordinator for Health Information Technology. “OCR has publicly said on many, many occasions that they investigate every single complaint that gets filed,” she said.
Based what’s been reported about Ascension and Google’s partnership, it appears that it wouldn’t be in violation of HIPAA, Savage added, as the privacy law allows health systems to “hire people to do its work.” She equated the partnership with how health systems sign contracts with electronic health record vendors.
“I don’t think the law would have required (a health system) to say to each person who might sometime become a patient, or might have been a patient in the past, ‘By the way, we’re contracting with Epic Systems, or we’re contracting with Cerner,” she said. “It’s not required to notify each person of the particular business associate in each particular instance.”
Under HIPAA, a health system can share data with a business partner if that information is used “only to help the covered entity carry out its healthcare functions—not for the business associate’s independent use or purposes,” according to HHS.
Google isn’t charging Ascension for some of its application development work, according to internal documents reviewed by the Wall Street Journal, since the tech giant hopes to use findings from the project to inform similar products at other health systems. But Google is charging Ascension for services rendered as part of its commercial contract, Shaukat wrote in his blog post, although he said the company won’t disclose financial details about the agreement.
Ascension confirmed that Google is not charging the health system for the EHR search application, since they are still in an early development and testing phase. Once the software is generally available for sale, Ascension will begin paying. That type of agreement is standard process in the software development industry, according to Ascension officials.
Confusion over the financial details of the deal may be fueling questions into what benefit Google is seeking from the partnership, said Ray D’Onofrio, principal data architect at digital technology consultancy SPR.
“HIPAA really says you only get data—and you should only use data—for the purposes of providing care,” D’Onofrio said. So even if Google is following the “letter of the law” when it comes to HIPAA, there are other questions worth asking.
“Is this just a deal for Google to be paid to do the analytics for Ascension?” he offered, as an example. “Is this Google looking to learn stuff and then sell that back to the health community?”
Ascension and Google have said that patient data shared with Google won’t be combined with Google’s consumer data, and, under the BAA with Ascension, Google isn’t permitted to use it for marketing.
But “the law just sets a minimum,” said Lois Shepherd, a professor of law and bioethics at the University of Virginia School of Medicine’s center for health humanities and ethics. There ares reasons patients might be hesitant to have their data shared with Google, which hasn’t disclosed how many employees at the company will be able to access the patient data.
“It would be reasonable for patients to feel a total loss of control over their data, especially since it’s identifiable,” Shepherd said, noting Google isn’t a provider with which patients have opted to trust with their medical information and healthcare. “I don’t know why (patients) would have any reason to trust Google.”
That perceived lack of control over one’s own medical data is likely what’s driving patient concerns, D’Onofrio said. That doesn’t necessarily point to an aversion to big tech—Apple’s health records feature, which allow patients with iPhones to corral health information from their providers’ patient portals into the Health app, wasn’t hit with as many concerns about privacy.
Apple’s health records feature is a patient-facing project, which allows patients to opt-in to downloading their data into the iPhone’s Health app.
“There’s a lot of data already being shared” throughout healthcare, D’Onofrio said. “It’s a matter of making people knowledgeable about what’s being shared and why it’s being shared.”
Health systems interested in partnering with tech giants that are new to the healthcare ecosystem will have to grapple with how to ensure the companies understand, not just legally, but also “culturally (their) obligations related to HIPAA, data governance and patient privacy,” Brennan said—and how to communicate that to others. “As a citizen, (Google’s) culture around privacy seems a little bit loosey goosey.”
“This is not search data, this is extremely sensitive information,” he said. Google can’t “run wild with it like they have done with other data in the past.”