In our latest step toward becoming a full dystopian nightmare, the Wall Street Journal reports that Google has been collecting the health data of millions of Americans without their knowledge or consent.
It’s all part of Google’s secret “Project Nightingale” that the company has been working on with Ascension, which the WSJ notes is the “second-largest health system” in the country.
Among the personal health data that the two behemoths are sharing are “lab results, doctor diagnoses and hospitalization records,” which “amounts to a complete health history, complete with patient names and dates of birth.”
In other words, not only is Ascension handing over all of this data to Google, but it’s not even anonymized.
It’s all incredibly terrifying and, worse, it appears to be legal thanks to the Health Insurance Portability and Accountability Act of 1996. Much of this has to do with relationships between “covered entities,” as outlined by the law (health care providers and health care plans) and “business associates,” third-party companies who help those covered entities carry out their activities.
According to the Department of Health and Human Services’ website, health care providers and plans can “disclose protected health information to these ‘business associates’ if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”
In this case, the WSJ reports, Ascension is the “covered entity” as a health care provider and Google is the “business associate.” Specifically, Google plans to use this data “to design new software, underpinned by advanced artificial intelligence and machine learning, that zeros in on individual patients to suggest changes to their care.”
A source informed the WSJ that, right now, at least 150 Google employees have access to this data even though patients and doctors haven’t been informed.
Google’s parent company, Alphabet, has made big pushes into the health care industry —as have other big tech companies such as Apple and Amazon — including creating a medical health tracker and starting a study called Project Baseline. But this collection of health data seems to be on a different scale altogether.
In response to a request for comment, both Ascension and Google referenced the same press release from Ascension.
Notably, the press release says nothing about concerns regarding data privacy and questions of the legality of sharing such personal data without patient knowledge. It crams its response to all concerns about these issues in to a single line: “All work related to Ascension’s engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”
What was in the press release? A lot of corporate speak about “streamlining consumers’ engagement” and “efficiency.” The statement also says the collaboration includes moving infrastructure to Google Cloud, utilizing G-Suite, and utilizing AI to “to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”
UPDATE: Nov. 11, 2019, 3:43 p.m. EST Updated to include statement from Ascension and Google