How far do privacy laws really go to protect patient identity? Existing protections may no longer be sufficient to address the public’s concern over the use of health data as more non-traditional players move into the healthcare sphere. In November 2019, the Wall Street Journal reported Google and Ascension Health had entered into a business partnership involving millions of patient records called Project Nightingale. They did so without notifying patients or providers of the project. The HIPAA-compliant nature of the project raises important questions on how to move forward with protection policies.
Project Nightingale began in 2018 with a business associate agreement signed between Google and Ascension health. The agreement grants Google access to approximately 50 million patient records for the purposes of building a cloud-based, searchable longitudinal clinical record. Using a combination of artificial intelligence and machine learning, the intent of the project is to make health records more useful, accessible and searchable for providers. A Catholic nonprofit, Ascension is the nation’s second-largest health system located in 21 states. The new search tool will be internal to the hospital network. Some reports suggest the project would analyze data to suggest changes for patient care. Neither physicians nor patients were notified of the project prior to the story breaking in the Wall Street Journal.
Federal Inquiry Opened
Days after the report was published, the Department of Health and Human Services’ Office for Civil Rights opened a federal inquiry. The purpose of the inquiry is to learn more about if the mass collection of medical records is in fact HIPAA compliant. Google claims each employee involved in Project Nightingale had been fully trained in HIPAA requirements, and that the terms of the business associate agreement clearly state that collected data cannot be used for any other purpose besides providing the agreed-upon services to Ascension.
However, anonymous Ascension employees informed the Wall Street Journal they had raised internal concerns regarding the collection methods and data sharing practices of the project. Following the story’s publication, Ascension narrowed network access to Project Nightingale both internally and at Google. Public concern over the project centers on the fact that consent was neither sought nor needed for the project to be HIPAA-compliant.
HIPAA No Longer Sufficient
Under HIPAA, all “covered entities” are allowed to share data with business partners for the purposes of carrying out healthcare functions. Business associates are forbidden from using data for the associate’s personal purposes. The covered entity must draw out a business associate agreement, outlining the function of the relationship and exactly how protected health information will be used. Google continues to claim HIPAA compliance due to the terms of their business associate agreement.
Critically, once data is deidentified, covered entities can use or disclose the data without any restrictions. HIPAA uses 18 individual identifiers (information which can be used to identify, contact, or locate a person) to determine what is considered protected health information (PHI). Removing all 18 identifiers results in deidentified health information, when HIPAA protections no longer apply.
Proposed revisions to HIPAA have so far been unsuccessful. One reason could be that most patients assume HIPAA grants common-sense protections for modern day cases that did not apply when HIPAA was originally drafted. HIPAA became law two years prior to Google’s founding, at a time when apps, wearables, and other health monitoring technologies did not exist.
New Law Could Fill the Gap
Recognizing the risks posed by more private companies moving into healthcare data for commercial purposes, Sens. Amy Klobuchar and Lisa Murkowski introduced the Protecting Personal Health Data Act in June 2019. The act intends to create stronger protections for genetic, biometric, and personal health data. It would form a national task force to evaluate cybersecurity risks and privacy concerns associated with consumer products that use health data, and create regulations to address them. It would also allow consumers to access, edit, and delete personal health data that companies collect, while eventually developing national standards for obtaining consent for data sharing. The act does not identify an appropriate enforcement mechanism for the new protections at this time. The act could gain momentum from the public’s newfound awareness that data protection standards are lacking, especially in terms of patient consent and control.