Ascension Enters Contract with Google to Share PHI
If you are a patient of Ascension in the St. Louis, Mo., area, Google has your healthcare protected health information (PHI). Patients and doctors of the second largest Catholic health system in the United States have not been notified that their data is being shared with Google.
Why Does Google Have My PHI?
Google is designing new software with the data that will point towards improvements in patient care, tailored specifically to each individual patient. Ascension, a Catholic hospital network, wants to use the data to improve patient care, mining the data to suggest additional tests for patients.
What Is Project Nightingale?
Google has named this venture “Project Nightingale,” which is said to be one of the largest initiatives in the Silicon Valley to enter the growing healthcare market.
Google is collecting patients’ complete PHI, including:
- Lab results
- Physician diagnoses
- Hospitalization records
- Patient names
- Dates of birth
Google has stated that Project Nightingale is above board and complies with all HIPAA privacy regulations. The company has also stated that it is only using the data to assist in building an artificial intelligence-powered system for Ascension, and not to train its own systems. Furthermore, Google has stated that it is not combining patient data to use across its other healthcare partners.
In an FAQ, Google wrote: “We are building tools that a single customer (e.g., a hospital or primary care group) can use with their own patients’ data. The data is siloed, access controlled, and auditable. We do not combine data across partners, and we would not be allowed to under our agreements or the law.”
What Is a Business Associate Agreement?
Google has entered into a business associate agreement (BAA) with Ascension for the purposes of collecting and crunching the PHI on a massive scale. Used correctly, a BAA allows Ascension to share their patients’ PHI with Google without violating HIPAA Privacy and Security laws.
A HIPAA BAA allows the sharing of PHI with a business partner if the information is used “only to help the covered entity carry out its healthcare functions—not for the business associate’s independent use or purposes,” according to the U.S. Department of Health and Human Services (HHS).
Google has similar partnerships to share patient data with University of Chicago and University of California, San Francisco. A patient sued University of Chicago this past summer for sharing their data. Both universities have held the belief that their sharing of PHI with Google is covered under their BAAs with the information technology giant.
There have been complaints filed by Ascension employees, also claiming this to be an inappropriate use of patient PHI. The transaction with Ascension grants approximately 150 Google employees access to Ascension patients’ PHI. The Office of Civil Rights (OCR)—the agency that enforces HIPAA—is investigating the sharing of the information between Google and Ascension.