Google and Alphabet on Ascension Partnership Questioned by Rep. Jayapal

Pressure is mounting on Google and its parent company Alphabet to share information about how the protected health information (PHI) of patients of Ascension will be shared and used, and the processes established to ensure PHI is protected against unauthorized access attempts.

The partnership between Google and Ascension was revealed on November 11, 2019 following the release of a story in the Wall Street Journal. A whistleblower at Google had shared information with the WSJ and expressed worry in relation to the millions of healthcare records had been shared with Google without first seeking consent from patients. It was also claimed that Google employees could freely download PHI.

In its announcement, Google mentioned that the collaboration – named Project Nightingale – involved moving Ascension’s infrastructure to the cloud and that it was helping Ascension adapt G Suite tools to improve productivity and efficiency. Patient data was also being supplied to Google to help create AI and machine learning technologies to enhance patient safety and clinical quality. When the migration of data has been completed, Google will have access to the health data of approximately 50 million patients.

Google has revealed it is a business associate of Ascension and has completed a business associate agreement and is fully compliant with HIPAA regulations, but many privacy advocates are worried about the partnership. Many members of Congress have also expressed worry and are seeking answers about the security measures that have been put in place to secure patient data and how patient data will be deployed. The HHS’ Office for Civil Rights has also revealed it is currently investigating Google and Ascension to make sure HIPAA Rules have not been breached.

Previously this month, Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, contacted Google and Alphabet expressing concern about the partnership. She has requested answers to several questions about how protected health information has been obtained, the measures created to protect patient data, and how Google will be using the PHI.

Rep. Jayapal wrote in her Dec 6, 2019 letter: “As Google and parent company Alphabet have engaged in an ever-widening acquisition of the highly personal health-related information of millions of people, Americans now face the prospect of having their sensitive health information handled by corporations who may misuse it. I am especially concerned that your company has not provided sufficient assurances that this sensitive data will be kept safe, and that patients’ data is being acquired by your companies without their consent and without any opt-out provision.”

Rep. Jayapal is very concerned about how that information will be used. Google is gathering massive quantities of healthcare data from several sources. Google’s healthcare-focused AI unit, Medical Brain, is actively acquiring health data, Alphabet has partnered with the Mayo Clinic, and Google has asked the UK startup, DeepMind. NHS data has already been given to Google. Google is also looking to purchase Fitbit, which holds health-related data on 25 million users of its wearable devices.

Rep. Jayapal wrote: “The fact that Google makes the vast majority of its revenue through behavioral online advertising—creating an incentive to commoditize all user information—renders the company’s expansion into health services all the more troubling,”.

Rep. Jayapal also remarked that Google does not have a clean track record when it comes to securing health and medical information, referencing one incident in which chest X-ray images from the National Institute of Health were almost published online before Google realized they included personally identifiable information. She also referred to an active lawsuit that claims Google companies have obtained patient information from a major medical center and DeepMind was found to have breached the Data Protection Act in the UK by using patient data to develop new apps.

Rep. Jayapal asked Google and Alphabet to reply by January 5, 2020 to answer her questions, as detailed here:

HIPAA Violation Penalties

Most Common HIPAA Violations Causes