The Wall Street Journal reports Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans.
Google is engaged with one of the U.S.’s largest health-care systems on a project to collect and crunch the detailed personal-health information of millions of people across 21 states.
The initiative, code-named “Project Nightingale,” appears to be the biggest effort yet by a Silicon Valley giant to gain a toehold in the health-care industry through the handling of patients’ medical data. Amazon.com Inc., Apple Inc. and Microsoft Corp. are also aggressively pushing into health care, though they haven’t yet struck deals of this scope.
Google began Project Nightingale in secret last year with St. Louis-based Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices and other facilities, with the data sharing accelerating since summer, according to internal documents.
The data involved in the initiative encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.
Neither patients nor doctors have been notified. At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents.
Federal Inquiry Underway
A Federal Inquiry into Google’s ‘Project Nightingale’ is now underway.
Google’s project with the country’s second-largest health system to collect detailed health information on 50 million American patients sparked a federal inquiry and criticism from patients and lawmakers.
The Office for Civil Rights in the Department of Health and Human Services “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” the office’s director, Roger Severino, said.
Ascension, without notifying patients or doctors, has begun sharing with Google personally identifiable information on millions of patients, such as names and dates of birth; lab tests; doctor diagnoses; medication and hospitalization history; and some billing claims and other clinical records.
Ascension has more than 2,600 facilities like hospitals and nursing homes in 21 states and Washington, D.C.
Conceptual images of the software under construction show an interface much like Google’s flagship search engine. Begin to type in a first name, and Google will produce a drop-down menu featuring other patients with similar names. A single click reveals metabolic data, medications, phone numbers and even the patient’s temperature.
The concept gave some Ascension patients pause.
Google and Ascension have signed what is known as a business associate arrangement, which specifies when a health-care vendor can access patient data. Ascension retains ownership of the data, people familiar with the matter said. Neither Google nor Ascension would give details on who at Google can access data.
Please consider What Information is Protected Under HIPAA Law?
HIPAA laws protect all individually identifiable health information that is held by or transmitted by a HIPAA covered entity or business associate. According to the Department of Health and Human Services’ Office for Civil Rights there are 18 identifiers that make health information personally identifiable. When these data elements are included in a data set, the information is considered protected health information and subject to the requirements of the HIPAA Privacy, Security and Breach Notification Rules.
Information may be disclosed to third parties for those purposes, provided an appropriate relationship exists between the disclosing covered entity and the recipient covered entity or business associate. A covered entity can only share PHI with another covered entity if the recipient has previously or currently has a treatment relationship with the patient and the PHI relates to that relationship. In the case of a disclosure to a business associate, a business associate agreement must have been obtained. In all cases, the minimum necessary standard applies. Disclosures must be restricted to the minimum necessary information that will allow the recipient to accomplish the intended purpose of use.
The following information is protected under HIPAA law:
- Addresses (including subdivisions smaller than state such as street, city, county, and zip code)
- Dates (except years) directly related to an individual, such as birthdays, admission/discharge dates, death dates, and exact ages of individuals older than 89
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate and license numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Website URLs
- IP addresses
- Biometric identifiers, including fingerprints, voice prints, iris and retina scans
- Full-face photos and other photos that could allow a patient to be identified
- Any other unique identifying numbers, characteristics, or codes
Who Has Access to What?
There may be more than a bit of a problem here, depending on how the data is stored and shared and what access Google has to it.
"At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents."
Note that "prior to any use or disclosure of health information that is not expressly permitted by the HIPAA Privacy Rule, one of two steps must be taken."
- A HIPAA authorization must be obtained from a patient, in writing, permitting the covered entity or business associate to use the data for a specific purpose not otherwise permitted under HIPAA.
- The health information must be stripped of all information that allow a patient to be identified.
Sign Here Please
"Neither Google nor Ascension would give details on who at Google can access data."
Does anyone even know?
Did Ascension get signatures from all its patients?
If so, did they have any idea what they were signing?