Google Health’s Partnerships Raise Privacy Concerns
Recently, Google has been at the center of privacy concerns due to its health- sharing collaborations with the University of Chicago Medical Center (the Medical Center) and Ascension, a leading nonprofit health system. These collaborations have put Google in the crosshairs of a class action lawsuit and a federal inquiry related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA protects the privacy and security of individually identifiable health information. However, it does not restrict the use or disclosure of de-identified health information. There are two methods to achieve de-identification:
- an expert determination (usually from a statistician) that the risk to use de-identified information alone or in combination with other reasonably available information to identify the subject of the information is small or that the data is properly de-identified under the National Institute of Standards and Technology’s guidance
- the “safe harbor” of eliminating 18 identifiers from protected personally identifiable health information: names; all geographic subdivisions smaller than a state (including street address, city, county, precinct, ZIP code and their equivalent genocodes); all elements for dates (except year) for dates that are directly related to an individual (including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates [including year] indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older); telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate or license numbers; vehicle identifiers and serial numbers (including license plate numbers); device identifiers and serial numbers; URLs; IP addresses; biometric identifiers (including finger and voice prints); full-face photographs and any comparable images; and any other unique identifying number, characteristic or code.1
Additionally, HIPAA allows covered entities to disclose protected health information (PHI) to business associates as long as the PHI is solely used to help the covered entity carry out its health care functions. The current issue has become whether large analytics companies that possess vast amounts of personal information, like Google, can truly be HIPAA compliant when partnering with health care providers.
Google and the University of Chicago Medical Center
In May 2017, Google announced its partnership with the Medical Center to “research ways to use machine learning to predict medical events.”2 A few months later, the Medical Center transferred electronic health records (EHRs) of hundreds of thousands of individuals who were patients at the Medical Center from 2009 to 2016.3 In its Notice of Privacy Practices and Admission and Outpatient Agreement and Authorization (Notice), the Medical Center promised patients that it would not disclose patient records to third parties for commercial purposes and would comply with federal and state privacy laws, including HIPAA, to protect and maintain the privacy and confidentiality of the records.4 The Notice did not disclose that the Medical Center would transfer patients’ medical records to Google or similar vendors, and did not give the Medical Center permission to disclose the records to entities like Google for any purpose whatsoever.5
In an article describing their research findings and the methodology employed in analyzing patients’ medical records, Google and the Medical Center revealed that, while the EHRs were supposedly “de-identified,” the date stamps and free-text medical notes from the records were maintained.6 Patient demographics, provider orders, diagnoses, procedures, medications, laboratory values, vital signs and flowsheet data on both inpatients and outpatients were also included in these records.7
On June 26, 2019, a putative class action was filed in the U.S. District Court for the Northern District of Illinois against Google and the Medical Center for the Medical Center’s disclosure of EHRs to Google.8 The complaint alleges that the date stamps and free-text notes that were maintained in the records immediately placed the transfer of the records outside of HIPAA’s safe harbor provision. The complaint also alleges that the Medical Center did not perform an expert determination before transferring the medical records to Google or, alternatively, if it did hire an expert, the expert did not make a finding that the risk of re-identification was small.9 With the vast amount of personal information Google possesses and its powerful analytic capabilities, including its ability to identify individuals’ exact locations and time spent at a location, the complaint alleges that Google could easily re-identify the medical records it received from the Medical Center, with the help of the date stamps for admission and discharge and the free-text notes, which are not to be included in de-identified medical records.10
The complaint further alleges that Google’s receipt of the Medical Center’s patient records was part of Google’s longtime plan to gain a foothold in the predictive health analytics industry. Google’s efforts in this area include:
- In 2008, Google attempted to gather consumer medical data by developing a service that allowed consumers to organize and store their personal health data and medical records on Google’s platform, but this service was discontinued for a lack of consumer participation.
- In 2014, Google acquired a small startup named DeepMind that focused on bringing artificial intelligence and advanced machine learning to, among others, the health care industry.
- In 2015, Google and DeepMind participated in a study that processed patient data from the Royal Free NHS Foundation Trust (NHS). However, the Information Commissioner’s Office, a UK data protection watchdog, announced that Google and DeepMind’s agreement with NHS failed to comply with data protection law. Google and DeepMind responded by promising to protect patient privacy and announced that DeepMind would continue to operate independently and outside the reach of Google, and that Google would not have direct access to patient records. However, Google and DeepMind did not change any of their privacy practices, and, in 2018, Google announced that it would fully absorb and take control of DeepMind Health, separating it from DeepMind and allowing Google to have access to health data collected and processed by DeepMind.11
The complaint also alleges that Google planned to gather consumer medical data to create its own EHR system and commercialize the Medical Center’s medical records before obtaining them, as evidenced by the patent application it submitted in 2017.12 The EHR system includes a computer memory-storing de-identified EHR, a computer executing deep learning on those records in a standardized data structure format, and an interface for clinicians displaying a patient’s past and predicted future clinical events.13
Google and the Medical Center have already made several attempts to dismiss the class action, and have most recently alleged that the plaintiffs’ attorney has a conflict of interest as an investor in a competing analytics company.14 The lawsuit is still pending.
Google and Ascension
Similar to Google’s partnership with the Medical Center, Google announced on November 11, 2019 that it had partnered with Ascension Health, a nonprofit health system operating in 21 states with 2,600 hospitals, clinics and other medical outlets.15 Named “Project Nightingale,” Google would (1) build a search tool for medical professionals that would use machine-learning algorithms to process data and make suggestions about prescriptions, diagnoses and even which doctors to assign to, or remove from, a patient’s team; (2) integrate Ascension’s different areas of health data in the cloud; and (3) allow Ascension to use G Suite productivity tools to enable Ascension employees to communicate and collaborate with operations teams across Ascension sites of care.16
However, through this partnership, Ascension, without notifying patients or doctors, began sharing with Google the personally identifiable information of more than 50 million patients, such as names, dates of birth, lab tests, doctor diagnoses, hospitalization history, prescriptions and some billing claims and other clinical records.17
Google’s public announcement of the partnership emphasized privacy and security, stating that Google adheres to industrywide regulations, including HIPAA, and that it has a business associate agreement with Ascension, which restricts the use of Ascension’s data to solely those uses needed to provide services under the agreement and prohibits the combination of that information with Google consumer data.18
On November 12, 2019, Department of Health and Human Services (HHS) Office of Civil Rights (OCR) Director Roger Severino announced that HHS OCR would inquire into the partnership and investigate whether HIPAA was violated.19 In response, Google released an FAQ, stating that it ensures the privacy and security of patient data with technical and administrative safeguards and promising that the data would not be used to sell advertisements.20 It further stated that a “limited number of Google employees have been approved by Ascension to potentially handle PHI in order to provide the services to Ascension.”21 However, at least 150 employees in different divisions of Alphabet Inc. (Google’s parent company), including Google Brain (Google’s artificial intelligence research team), had access to the patient data.22 Moreover, it is unclear whether Google will combine its data with Ascension’s to augment its services to Ascension (e.g., predictive analytics based on both clinical and social data), which would be permissible under HIPAA.
Google’s health data partnerships with the Medical Center and Ascension demonstrate how the health care industry is facing the “Goldilocks Dilemma,” a phrase coined by Deven McGraw, the former Deputy Director of Health Information Privacy at HHS OCR and currently the general counsel and chief regulatory officer for consumer health technology startup Citizen. The Health Data Goldilocks Dilemma describes how to achieve the balance for “broader data interoperability and data sharing,” with “enhanced data privacy and protection.”23 While sharing health information is essential for clinical care, powering medical discovery, and enabling health system transformation, the public is expressing greater concerns over the privacy of personal health data as large technology companies, like Google, break into the health care industry. The medical and personal data accumulated by technology companies using smart technologies, like Google, will need to be completely separated to protect the privacy of health data. HIPAA will also need to be updated to keep up with the technological advancements in health care — something Timothy Noonan, HHS OCR’s Deputy Director for Health Information Privacy, says HHS OCR will focus on in 2020.24
Endnotes
1 45 C.F.R. § 164.514(b).
2 Lisa Schencker, U. of C. Medicine, Google Hope to Use Patterns in Patient Records to Predict Health, CHI. TRIB., May 17, 2017, https://www.chicagotribune.com/business/ct-google-university-chicago-partnership- 0518-biz-20170517-story.html.
3 Daisuke Wakabayashi, Google and the University of Chicago Are Sued Over Data Sharing, N.Y. TIMES, June 26, 2019, https://www.nytimes.com/2019/06/26/technology/google-university-chicago-data-sharing- lawsuit.html.
4 Complaint at 20, Dinerstein v. Google, No. 1:19-cv-04311 (N. D. Ill. June 26, 2019).
5 Id.
6 Id.
7 Id.
8 Id. at 1.
9 Id. at 21-22.
10 Id. at 28.
11 Id. at 14-16.
12 Id. at 17.
13 Id.
14 Daniel R. Stoller, U of Chicago Seeks Health Suit End on Alleged Attorney Conflict, BLOOMBERG LAW, Nov. 14, 2019, https://news.bloomberglaw.com/privacy-and-data-security/u-of-chicago-seeks-health-suit-end-on- alleged-attorney-conflict.
15 Tariq Shaukat, Our Partnership with Ascension, GOOGLE (Nov. 11, 2019), https://cloud.google.com/blog/topics/inside-google-cloud/our-partnership-with-ascension.
16 Id.
17 Rob Copeland, Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans, WALL ST. J., Nov. 11, 2019, https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal- health-data-on-millions-of-americans-11573496790.
18 Shaukat, supra note 15.
19 Rob Copeland & Sarah E. Needleman, Google’s ‘Project Nightingale’ Triggers Federal Inquiry, WALL ST. J., Nov. 12, 2019, https://www.wsj.com/articles/behind-googles-project-nightingale-a-health-data-gold-mine-of- 50-million-patients-11573571867.
20 Shaukat, supra note 15.
21 Id.
22 Copeland, supra note 17.
23 Zoya Khan, Announcing a New Series: “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?, HEALTH CARE BLOG, July 22, 2019, https://thehealthcareblog.com/blog/2019/07/22/announcing-a-new- series-the-health-data-goldilocks-dilemma-sharing-privacy-both/.
24 Ayanna Alexander, Patient Data, Cyber Threats, Surprise Billing Top OCR To-Do List, BLOOMBERG LAW, Oct. 3, 2019, https://news.bloomberglaw.com/privacy-and-data-security/google-university-of-chicago-face- revamped-health-privacy-suit.
