Google’s Response was Deemed Incomplete by Ascension

After it became public that a massive amount of patient data had been shared with Google by the Catholic health system Ascension, the second biggest health system in the United States, a bipartisan group of Senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google asking for answers about the nature of the agreements and the data the company received.

Ascension manages 150 hospitals and more than 2,600 care facilities in 20 states and the District of Columbia and has over 10 million patients. In November 2019, a whistleblower at Google passed details to the Wall Street Journal on the nature of the collaboration and claimed that patient data, such as patient names, dates of birth, lab test results, diagnoses, health histories and other protected health information, had been sent to Google and was accessible by more than 150 Google staff members

Reacting to the story, Google revealed that the partnership, named Project Nightingale, was a cloud migration and data sharing initiative. Ascension is moving its data warehouse and analytics infrastructure to the Google Cloud and will be using Google’s G Suite productivity suite. Patient data was being used by Google’s AI and machine learning technologies with the aim of improving clinical quality and patient safety.

Google and Ascension both said that there was a business associate agreement in place and data was being shared in a manner compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules and health data was not being used for aims other than those stated in its BAA. Several investigations were initiated to determine the nature of the agreement between both companies, with the HHS’ Office for Civil Rights opening an investigation into both companies to deduce whether HIPAA Rules were being adhered to.

Google answered the letter and provided the Senators with some answers. Google stated that data was shared in accordance with HIPAA Rules, that only a limited number of employees have access to that data, that access controls are in place to prevent unauthorized access, and any individual required to access health data is set permissions based on their role and job function.

Google also said that Ascension’s data is logically kept apart from other customers and confirmed that the data was only being used for an EHR search pilot program that would provide physicians and nurses with a unified view of patient data from multiple EHR databases. The EHR search tool will permit medical staff to search data in EHRs faster and effectively query medical records using words and abbreviations commonly deployed in healthcare. Google confirmed that medical records were not being used for secondary reaons, such as identifying services for specific individuals or to send them targeted advertisements.

The senators believe the answers supplied by Google are incomplete. On Monday, they wrote to Ascension demanding answers about Project Nightingale and the patient data shared with Google. “Google’s response did not answer a number of our questions pertaining to Ascension’s involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients,” outlined the senators.

The senators would like to know how many records have been shared with Google, the exact nature of the information that was shared, if there have been any violations of the shared data, and whether patients were made aware that their PHI would be shared with Google and if they were given the chance to opt out.

In their letter the senators said that: “It’s critical lawmakers receive comprehensive information about Project Nightingale, which serves as a case study of Google’s more extensive foray into electronic health records. While improving the sharing, accessibility, and searchability of health data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny.”

Author: Security News