When Google Meets HIPAA: Some Privacy and Regulatory Issues as Silicon Valley Enters the Health Care Space

Carlton Fields
Contact

Carlton Fields

On November 12, 2019, the U.S. Department of Health and Human Services' Office for Civil Rights announced that it would be examining Google’s collaboration with Ascension, a nonprofit health care system that operates approximately 2,600 facilities, including hospitals and nursing homes, in 21 states and the District of Columbia. Dubbed “Project Nightingale,” Google’s efforts for Ascension reportedly include the collection and organization of tens of millions of patient medical records with the aim of using artificial intelligence and machine learning to improve patient care. The Office for Civil Rights will presumably be focused on whether Google and Ascension’s arrangement complies with the federal Health Insurance Portability and Accountability Act (HIPAA) and related regulations.

Google and Ascension have both stated that they are in compliance with HIPAA, and Google has told the press that it is acting pursuant to a “business associate agreement.” Under that agreement, Google has reportedly argued, it can use patient data to build treatment tools for Ascension’s use, and patients need not be notified. This view is not unreasonable, as HIPAA allows health care providers to share protected health information (PHI) with third-party service providers to execute daily functions and activities related to a treatment, payment, and health care operations. Examples of these third-party service providers, known as “business associates” under HIPAA, include claims processors, accounting firms, and utilization consultants. And with respect to contemporary, technological service providers, a prime example of a 21st century business associate is a cloud service provider (such as Google), which can offer a health care provider an array of digital tools to potentially enhance patient outcomes and safety.

Under HIPAA, a health care provider’s “notice of privacy practices” must be made available to patients to inform them about how the health care provider will use and disclose PHI. But if patients have received a notice (or at least had a notice made available to them) that includes provisions on how PHI will be shared with business associates, patients will generally not receive additional notifications when their PHI is shared with third parties such as claims processors, accountants, and other business associates. The analysis should not change when a cloud service provider is hosting and analyzing patient data to carry out a provider’s daily functions related to treatment, payment, and health care operations.

In this particular case, Google may not have to be especially concerned about other privacy laws. Because Ascension is a nonprofit, California’s new sweeping privacy law, the California Consumer Protection Act (CCPA), likely does not apply. And even if it did — as it may in future ventures that Google may pursue with for-profit health care providers — then the CCPA’s exemption for HIPAA would likely provide some shelter for both Ascension and Google. Section 1798.145(c)(1) of the California Civil Code exempts PHI collected by a "covered entity" or "business associate" as those terms are defined in HIPAA. HIPAA, in turn, defines PHI as information relating to the physical or mental health or condition of an individual, or the provision of or payment for health care to an individual, for which there is a reasonable basis to believe it can be used to identify the individual. The fact that HIPAA applies is therefore likely to reduce the impact of California state law on these sort of arrangements.

It is also important to note that while the privacy concerns driving the regulatory scrutiny and press coverage are appropriate, so far much of the discussion glosses over the potential benefits of Project Nightingale. Indeed, Google’s efforts could be seen as attempts to “[i]mprove the health and well-being of individuals and communities through the use of technology and health information that is accessible when and where it matters most.” That mission statement, which sounds very similar to the goals articulated by Google and Ascension, is actually from the Office of the National Coordinator for Health Information Technology, the U.S. entity “charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information.”

Project Nightingale demonstrates how health information technology might be able to leverage artificial intelligence, machine learning, and other emerging technologies to deliver more efficient and effective patient care. Furthermore, many health care providers have been shifting their IT infrastructures to off-site cloud providers (such as Google, Amazon, and Microsoft), thereby removing the need for on-site data centers and, ideally, optimizing the way data is stored, protected, and analyzed. With respect to data analysis, one of Project Nightingale’s goals is to allow Google’s G Suite productivity tools to “enhance Ascension employees’ ability to communicate and collaborate securely in real time, supporting interdisciplinary care and operations teams across Ascension sites of care.”

While the current focus in the media is understandably on privacy concerns, it is possible that, as time progresses, the public dialogue will start to focus on how innovative collaborations, such as Project Nightingale, might be able to improve collaboration among health care practitioners, enhance patient outcomes and safety, and reduce the costs of care associated with information inefficiencies in today’s health care system. Privacy concerns are real and valid in this area, and new regulatory concerns may emerge, but we should also remain open to the possibility that Silicon Valley can help improve health care.

Written by:

Carlton Fields
Contact
more
less

Carlton Fields on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide