On November 11, the Wall Street Journal reported (https://on.wsj.com/2CELyar)[1] that Alphabet Inc’s Google had formed a partnership with Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices, and other facilities, code named Project Nightingale. The project involves Google setting up a cloud-based database for Ascension that collects, organizes, and displays patient data in order to streamline medical services and help Ascension gain a quick overview of a particular patient’s needs.
The WSJ story caused an immediate backlash, with media outlets questioning how Google could gain access to so much private medical data, and ethics and privacy professionals wonder if the partnership could be a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (http://bit.ly/33Krsax).[2] Patients were not informed of the partnership, and the WSJ article claims that doctors were also not notified.
“My experience with these data mongers is that they only see the beauty of the technical aspects: gathering, analyzing and then dreaming up revenues from the use of the data,” said Marianne Jennings, Professor Emeritus at the W.P. Carey School of Business. “They are amoral technicians who see data as data, not the personal information of an individual.”[3]
“The names and dates of birth in their gathering really are troublesome,” she added. “You do not need that information for figuring out treatments.”
Google responded to the WSJ article with a blog post (http://bit.ly/33KIDsN)[4] outlining the relationship with Ascension and answering several common questions that had popped up since the story ran. One of the first questions regarded the secrecy of the partnership: Google and Ascension have been working together for a year with no official announcement. Google answered by directing people to their 2019 Q2 Earnings call (http://bit.ly/32PHWxa),[5] in which Google CEO Sundar Pichai announced that“[…]Google Cloud’s AI [artificial intelligence] and ML [machine learning] solutions are also helping healthcare organizations like Sanofi accelerate drug discovery and Ascension improve the healthcare experience and outcomes.”
The blogpost also stated that, “[…] Ascension … informed acute care administrative and clinical leaders across their organization on the work, held enterprise-wide webinars, and briefed clinical leaders of their employed physician group in detail. In addition, Ascension directly engaged many front-line nurses and clinicians on the project.”
Ethical and privacy concerns
HIPAA allows for data sharing between business associates with several caveats. The first principle to be aware of is “minimum necessary,” and refers to the type of data that can be shared. If you hurt your foot and go to the podiatrist, you should not have any data related to your heart rate shared with a cardiologist, for example. The U.S. Department of Health and Human Services (HHS) provides guidance on the minimum necessary requirement, to help organizations and practitioners navigate the flexible nature of the requirement. According to HHS, the minimum necessary standard does not apply to the following:
-
Disclosures to or requests by a healthcare provider for treatment purposes.
-
Disclosures to the individual who is the subject of the information.
-
Uses or disclosures made pursuant to an individual’s authorization.
-
Uses or disclosures required for compliance with the HIPAA Administrative Simplification Rules.
-
Disclosures to HHS when disclosure of information is required under the HIPAA Privacy Rule for enforcement purposes.
-
Uses or disclosures that are required by other law.
The question then arises, does Google’s use of the data fall into any one of these categories, or perhaps into a second principle of HIPAA, treatment, payment, or health care operations (TPO), for which no consent is required from the patient. In general, date of birth and names should not be required to build cloud-based software to help with healthcare operations.
In her work on ethical considerations and data, Marianne Jennings discusses the questions organizations should be asking when dealing with healthcare data. The issue, she argues, is that organizations tend to ask, “What data do we have and how can we use it?” as opposed to asking, “Why do we have this data and how are we ensuring the data is safeguarded?”
This flip in the reasoning is essential in the healthcare environment, as more and more organizations move to digital solutions and AI to collect, organize, and analyze data.
The case for innovation
AI can be enormously helpful in a healthcare setting. The more data AI ingests, the more valuable insights it potentially may uncover. Under HIPAA, healthcare providers can process patient data and are also allowed to outsource healthcare operations to a business associate, subject to a business associate agreement (BAA). Google and Ascension have such an agreement. According to Adam Greene, partner at Davis Wright Tremaine LLP:
The BAA must restrict the business associate’s use and disclosure of patient information, generally only allowing the business associate to use and disclose protected health information in a manner that would be permissible if done by the health care provider itself. The only exceptions are that the BAA may permit the business associate to use and disclose the protected health information: (1) for its own ‘proper management and administration,’ which is not defined but generally treated as internal activities necessary for the business associate to operate (like compliance activities); and (2) for ‘data aggregation,’ which under HIPAA means combining data from multiple entities for the benefit of those entities’ health care operations (such as to provide the health care providers with benchmarks of how they compare to their peers). Under HIPAA, data aggregation does not mean that the technology company gets to aggregate data for its own purposes.[6]
He added:
One area of controversy, is whether the healthcare provider may permit the business associate to use the patient information to create potentially valuable de-identified information. Once de-identified, the information is no longer subject to HIPAA, and the business associate may be able to do whatever it wants with the de-identified information. We don’t know whether this arrangement permitted Google to create and control de-identified patient information.
Healthcare providers have hundreds, if not thousands, of business associates. To require providers to disclose every single one, and the details of every arrangement, may not be reasonable and may actually do more harm than good by taking the focus away from providing services to patients, for example. Likewise, requiring Google and Ascension to announce their cooperation, and the details, may not make sense from a business perspective. The outcry is concerned primarily with patient privacy and data management.
The question then is, can the public trust Google to handle personal health information in an ethical and legal manner?