Google has been venturing into new areas of business and recently made huge news when it got access to the health records of millions of Americans through a partnership with the Ascension hospital network.
Both companies insist their goal is “to provide better care to patients,” but the program, code-named Nightingale, is already creating major privacy concerns. Just 48 hours after it was announced, federal regulators from the Department of Health and Human Services announced an investigation into whether the partnership violates HIPPA, the Health Insurance Portability and Accountability Act.
“Google has this history of walking into a new sector and and saying, “Let’s suck up as much data as we can, and we’ll just use our engineering prowess to figure out what products and tools that we can build off the back of this data.” And it seems like they’re going into health care with a similar intention.”
So, what does this mean for the Americans whose health records were accessed by Google?
The first thing to know is that when it comes to medical records, it’s not always clear who owns the data, says Nicholas Tatonetti, assistant professor of biomedical informatics at Columbia University.
“It is often generally owned by the doctors, hospitals, and organizations that collect it. But it seems to be a patchwork of regulations and frameworks, which is why it’s valuable for these large efforts to bring data together.”
For many Americans, that can be worrisome. But it’s important to know that the Google deal is actually routine. It’s part of a how a lot of medical research is conducted today.
Using an example from his own research — in which his team used similar types of databases to discover that two common drugs, an antibiotic and a heartburn medication, can lead to potentially dangerous heart arrhythmias when taken together — Tatonetti says that everything Google’s done so far “was perfectly above board.” But there is still room for improvement.
“There is a feeling in the air about who has access to our data, how private [is it], and when is it being shared? When we are left out of that process, it feels a little like we’re being taken advantage of, even if it’s legal. And even if they are appropriately protecting our data, I’m disappointed in these types of announcements [because] there isn’t an engagement of the patient population in order to bring them into this process, especially when it comes to a giant tech company that has the type of position and an ability to interact and reach billions of people.”
Still wondering how we should think about what Google is doing with these data and whether there’s a way to avoid all of the mistrust? Listen to the entire conversation here.
Below, we’ve also shared a lightly edited transcript of Farr’s conversation with Duhaime-Ross.
This blew up because of various reports that some of this information was not anonymous — that, in fact, it contained things about patients that you wouldn’t necessarily want to share with a company like Google.
What kind of data was shared?
So the data that was shared was a bit of a mix. There were some cases where it was fully anonymized information, and that was simply to inform some of the analytics work that they were doing. In other cases, the companies came clean that they were sharing some personal health information which could have been potentially identifying. It could be all sorts of different things, including even just dates of service (when a patient went into the hospital).
We haven’t seen yet any clear evidence that patient names were shared in this process. But there’s a reason to worry about Google having access to any identifying information, because if they combine that with any other data they have about us, anything could be identifiable.
We aren’t just talking about Google knowing people’s blood pressure, right? We’re talking about Google knowing people’s HIV status or whether they have a mental health issue that requires medication.
Absolutely. The big fear here is that Google will start to learn more about our health conditions and [probably] already has quite a lot of that information.
We’re sharing our health status with Google inadvertently all the time. And the idea that they could then touch our clinical records from when we go see our physicians at the hospital is just terrifying.
Adding to this is that Google has seen other issues with some of the health things that it’s done.
Only a few months ago, there was a lawsuit from a patient at the University of Chicago. And what came out is that Google was supposed to be making sure that information that was shared from the university to their servers was fully anonymous. But it turns out that some dates of service ... were actually shared with the company. So that led to a lawsuit.
Before that, there was a whole issue in the UK with DeepMind, one of their subsidiaries, having access to patient data.
This is all adding up to this picture that Google is not properly just managing this. I would like to see Google get out there and deny that and say, “We would never target people based on their medical information,” and just create some policies around this, and maybe even some public forums where people can ask questions of Google and get straight answers about how their health information is going to be used by the company.
What about Google’s partner here? Why would they want to partner with a company like Google?
Ascension is a Catholic health system. They have lots of different hospitals and their own C suite that is looking for partnerships with tech companies, as are many other health systems. In the US, it’s quite common now to work with either one of the big three, whether it’s Microsoft, Amazon, or Google.
So, Ascension in theory would have wanted to have their brand associated with an innovative tech company like Google [be] very positive for them. I think they did see an opportunity to work with a big tech company on that and be viewed broadly as an innovative mover within the health care space.
What was Google trying to do with the data?
My sources have said that there were a few projects that were outlined with Ascension specifically. One of them was that they were looking to build a tool that could search through a medical record really easily. I also heard that they were looking at early detection of disease. So, for instance, if a patient is likely to have a condition called sepsis, which could lead to a fatal outcome, is there a way that they could look at these large-scale datasets and figure out who’s most at risk and intervene earlier? And then once they had done that for something like sepsis, they could move on to other conditions.
Is it normal for a free company like Google to have access to this data, especially if it’s not anonymous?
These sorts of agreements are very common in the health care industry. Some folks in the wake of this news say that if these agreements didn’t happen, health care would grind to a screeching halt. So we see these deals all the time. Typically it doesn’t involve companies like Google, but it involves health care technology companies that you may be familiar with.
Optum, [for example], works with health systems regularly on large-scale data projects. And in these cases, they have to sign what’s called a BAA (or business associate agreement), which allows for this data to be shared and can actually include some personally identifiable data.
Google is just latching on to a long history of these preexisting types of projects that we see every day but [that] rarely get reported on. When it’s Google, it’s a big deal. But when it’s not Google, people don’t care quite as much.
It sounds like, because the name Google is tied to this, people are reacting really strongly.
That’s absolutely the case. This is standard practice. All sorts of health-privacy folks I’ve spoken to have said these deals are routine now. I think there is still reason to criticize Google.
One piece where I would call them out is consent. There was no evidence here that Google did tell any of the patients or the physicians that they were doing this work. That only came out later, after the news exposing some of the details of the project. They could have chosen to do that. Did they have to? Maybe not. Some BAAs allow for this to be done without consent.
I hope that once the dust settles, we end up having much deeper discussions about what we expect when it comes to our health information, who should own it, who should access it, and in what circumstances should patients have the right to say no.
You alluded to a small number of Google employees who had access to this data.
Google hasn’t disclosed yet exactly who those employees were, who had access to the data. They said that this small number of employees were closely monitored, implying that those employees were watched if they did have any access to the information.
At this point, we just have to trust them that those employees weren’t sharing this data or attempting to use it for any nefarious purpose, like selling the data, trying to use it for targeted advertising, or even just building tools off the back of Ascension datasets that they could try to sell down the line to other hospital systems.
We don’t know that they did that. Google is asking a lot by just saying, “Hey guys, a few people had access to this, but don’t worry, we had it under control.”
It’s always fun when a large tech company like Google asks you to just trust them.
Exactly. As has been rightly pointed out, Google has been quite cavalier.
[The company] has this history of walking into a new sector and then saying, “Let’s suck up as much data as we can, and we’ll just use our engineering prowess to figure out what products and tools that we can build off the back of this data.” And it seems like they’re going into health care with a similar intention.
On the one hand, it could be a good thing, because this work does need to be done in health care and these large-scale analytics projects can be really important.
But on the other hand, you know, Google just hasn’t instilled the public with a lot of confidence that they’re going to approach this with all the protections and the controls and just fundamentally do it in the right way.
To hear the potential positive aspects of Google’s partnership with Ascension and its access to massive amounts of medical records, listen to the full episode and subscribe to Reset on Apple Podcasts, Stitcher, Spotify, or wherever you listen to podcasts.