A federal regulator is investigating whether the federal privacy law known as HIPAA was followed when Google (GOOGL) collected millions of patient records through a partnership with nonprofit hospital chain Ascension.
The probe, first reported by the Wall Street Journal Tuesday night, was opened by the Department of Health and Human Services’ Office for Civil Rights. “OCR would like to learn more information about this mass collection of individuals’ medical records with respect to the implications for patient privacy under HIPAA,” Roger Severino, the office’s director, said in a statement to STAT.
The initiative, code-named “Project Nightingale,” gave Google the ability to analyze personal health information, including names and birth dates, compiled by Ascension, with the goal of helping deliver more personalized medical treatment. The Journal reported that patients and physicians were not informed of the project, though Ascension said that some clinicians and nurses were involved.
Asked for comment on the federal inquiry, a spokesperson for Google pointed to a company statement defending the project. “We are happy to cooperate with any questions about the project,” the Google statement reads. “We believe Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and comes with strict guidance on data privacy, security, and usage.”
Ascension, a Catholic hospital system that operates in 21 states, has also defended the initiative as secure and compliant with HIPAA, the law protecting patient health information. HIPAA gives hospital systems and providers latitude to share patient information with third parties to support clinical activities.
The hospital group said that the project is covered by what’s known as a business associate agreement, or BAA, that governs sensitive health data. Under HIPAA, Ascension is considered a covered entity, and Google is considered a business associate.
Whether the law was followed may hinge on HHS’ interpretation of whether the Google-Ascension partnership adhered to the requirement that “covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions — not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.”
Jennifer Miller, a Yale medical school professor who studies patient privacy issues, said the way health information is being shared, whether legal or not, is far from ideal. Patients — whose data are shared without their knowledge or specific consent — end up with all the risks, she said, while the benefits, financial or otherwise, go to Google, Ascension, and potentially future patients.
“We need a better way of respecting patients and giving them some form of agency,” Miller said in an interview prior to news of the federal inquiry. “We either need to get informed consent or … we need to at least have a data ethics board in place with patient representatives that are considering whether these deals are ethical and good for patients.”
In recent months, members of Congress from both parties have proposed patient privacy bills that would allow patients to opt out of data sharing or require companies not covered by HIPAA (such as Google, Amazon (AMZN), Apple (AAPL) and Microsoft) to get explicit consent to access and share information.
But Miller said key stakeholders don’t need to wait for Congress.
“For me, this is less of a policy issue,” she said. “Google is a very large company with the resources to get this right. I would like to see Google step up and be a leader — not just in technology, but making sure privacy protections and patient-centeredness also advance.”
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.