The technology company's data project with Ascension has also drawn interest from federal lawmakers.
The public revelation that Google is working with Ascension to collect and analyze patient data has sparked questions about how secure the initiative is and what safeguards have been put in place for consumers, according to a healthcare technology observer.
"Project Nightingale," the name of the secret project between the Silicon Valley technology company and the St. Louis-based health system, began in 2018, according to an article in The Wall Street Journal earlier this month.
The initiative aims to leverage Google's data analytics capabilities for the approximately 50 million Ascension patients nationwide, though some have raised concerns about the data security surrounding patient health information (PHI).
Earlier this week, leaders of the House Energy and Commerce (HEC) Committee sent letters to both Google and Ascension saying the initiative "raises serious privacy concerns." HEC members questioned Google's history of protecting consumer data and whether the company could act as a "good steward" of PHI.
"Additionally, despite the sensitivity of the information collected through Project Nightingale, reports indicate that employees across Google, including at its parent company Alphabet, have access to, and the ability to download, the [PHI] of Ascension’s patients. Concerns have also been justifiably raised about Ascension’s decision not to notify its patients that their information would be shared with Google or how their information would be used," the letter read.
David Holtzman, JD, CIPP served as senior advisor to the Office for Civil Rights for health information technology and the HIPAA Security Rule, and currently serves as executive advisor at CynergisTek, a healthcare cybersecurity and privacy consultancy firm based in Mission Viejo, California.
Holtzman told HealthLeaders that Google has a HIPAA business associate agreement with Ascension, which means the company is permitted to work on a number of data analytics and quality improvement measures for the health system. However, Holtzman said what hasn't been thoroughly explained about the partnership is if Google will be permitted to de-identify and aggregate data that goes beyond PHI.
Holtzman said questions remain about what data, other than the information supplied by Ascension, will be incorporated into Google's analysis and will that data be segregated from other data sources.
"The fear is that once this data is de-identified and combined with other data that has been collected by Google or its customers, it could then be made identifiable again to an individual," Holtzman said.
Looking at the initiative, Holtzman said a goal for Ascension would be to bring together disparate data from its information systems onto a single platform hosted by Google.
He added that another goal would allow Ascension patients to access their health data on personal devices, as provider organizations seek to ease patient access to medical information.
News about Project Nightingale became public about two months after the Mayo Clinic agreed to a 10-year partnership with Google, including a provision that will have the company serve as its designated cloud provider.
Holtzman said the power of Google's technology is its ability to quickly manipulate data and handle greater complexity.
However, Holtzman added that while most technology companies have strong external security measures in place, the greatest risk for a potential data breach is from an internal actor.
He suggested one way for Google to protect patient data is to use behavior analytics and monitor access to sensitive health information.
Dr. David Feinberg, head of Google Health, published a blog post Tuesday detailing the company's partnership with Ascension and assuring the public that Google is securely handling patient data.
In Feinberg's blog post, he wrote that only a "limited number of screened and qualified Google staff" interact with patient data, and that these employees must undergo both HIPAA and medical ethics training. Ascension approves these staff members for a limited time, he added.
Google also has "audit trails," Feinberg wrote, which keep patient data in a clinical environment and makes sure access to PHI is "monitored and auditable."
Holtzman said the questions about patient data security in Project Nightingale extend beyond healthcare and speak to broader concerns about how consumers value privacy.
He added that patients likely felt comfortable sharing health data with Ascension and their local physicians but became alarmed when Google got access to that data through this initiative.
"The controversy is not in the alignment of all the data into one provider, it's the lack of confidence in the vendor that was hired to provide the cloud-managed environment," Holtzman said.
Holtzman added that government intervention might be an option given that consumers are "no longer satisfied with self-regulation" by technology companies on data privacy concerns.
Jack O'Brien is the finance editor at HealthLeaders, a Simplify Compliance brand.
Photo credit: Chicago, IL - September 7. 2019: View of the new Google building in the West Loop, Fulton Market area of downtown Chicago. - Image / Editorial credit: Page Light Studios / Shutterstock.com