A federal regulator will probe a massive data project between Google and Ascension that involved sharing health data from millions of patients.
HHS' Office for Civil Rights, the federal agency that enforces HIPAA, would "like to learn more information about this mass collection of individuals' medical records with respect to the implications for patient privacy under HIPAA," agency director Roger Severino said in a statement.
The federal probe concerns a project that Google launched last year, internally referred to as "Project Nightingale," which involves analyzing health data from patients who received care at St. Louis-based Ascension, one of the nation's largest health systems. Data reportedly includes patients' lab results, medications and diagnoses.
Project Nightingale's intended goal is to use Google's artificial intelligence tools to recommend changes to a patient's care, such as different treatment plans, diagnostic tests or additional physicians, as well as to flag unexpected deviations in the patient's care.
The project is still in a pilot phase, according to Google. It's also just one part of Google's partnership with Ascension, which also involves a commercial contract to move Ascension's on-premise data centers to Google's cloud-computing system.
Google has struck similar partnerships with the health systems of Stanford University, the University of Chicago and the University of California at San Francisco. But Google appears to be sharing more information through Project Nightingale, according to the Wall Street Journal, which first reported on Project Nightingale Monday after reviewing internal documents.
Ascension patients were not notified about the partnership with Google, according to the Wall Street Journal. But Google and Ascension have maintained that the project complies with HIPAA, as Google signed a business associate agreement with the health system. That ensures patient data can only be used for services outlined in the agreement.
Under HIPAA, a health system can share data with a business partner if that information is used "only to help the covered entity carry out its healthcare functions—not for the business associate's independent use or purposes," according to HHS.
"We are happy to cooperate with any questions about the project," Tariq Shaukat, Google Cloud's president of industry products and solutions, wrote in a blog post. "We believe Google's work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and comes with strict guidance on data privacy, security and usage."
Any patient data shared with Google is "for the purpose of helping our providers support patient care," Eduardo Conrado, Ascension's executive vice president of strategy and innovations, wrote in a blog post. That data is separate from Google's consumer data, and, under their agreement, Google isn't permitted to use it for marketing purposes.
"This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care," Conrado wrote.
This isn't the first time Google's work with healthcare providers has been questioned.
This summer a former UChicago Medicine patient sued the health system over its sharing thousands of medical records with Google for a research project on predicting patient outcomes, claiming that the health system had not properly de-identified patient information. Google and UChicago Medicine have maintained that they followed regulations, including HIPAA.
