Isn’t Medical Data Subject to Privacy Regulations?
News from the US reports that Google has partnered with Ascension on a project codenamed “Nightingale”. In the process, it has gained legal access to a vast amount of private healthcare data from millions of American citizens. This raises a lot of questions: whatever happened to doctor-patient confidentiality? Can our medical records really be provided to a third party without our consent? The answer is yes, or at least in the US it is. According to the Wall Street Journal, who broke the news, Google can be granted access to health information by claiming to be working as a business associate of Ascension, albeit they do face some legal limitations. Under the US’s Health Insurance Portability and Accountability Act (HIPPAA) patients’ records and other health data can be provided to third parties, but “only to help the covered entity carry out its healthcare functions”. However, under this act, patients and doctors apparently don’t need to be told about any projects in which their health data might be used, nor do they need to give Ascension consent for their health records and hospital data to be given to Google for storage and analysis. To try and alleviate data privacy concerns that this news has created, Google released a statement today explaining that the healthcare data is well protected and that the main focus of the partnership is to provide Ascension with cloud services as well as tools for use by Ascension doctors and nurses to improve care. “Our work with Ascension is exactly that—a business arrangement to help a provider with the latest technology, similar to the work we do with dozens of other healthcare providers. These organizations, like Ascension, use Google to securely manage their patient data, under strict privacy and security standards. They are the stewards of the data, and we provide services on their behalf.”
What will Google Do with the Data?
According to Google, Ascension’s healthcare data will be used to develop new software that uses artificial intelligence and machine learning to provide invaluable information about health issues and to possibly even predict future health issues in individuals. Furthermore, Google says it intends to develop tools to improve Ascension’s ability to communicate and collaborate across its sites, as well as to support improvements in the quality and the safety of care that Ascension can provide its patients.
Concerns Over Data Privacy and Safety
Concerns have been raised as to the safety of healthcare data in Google’s hands, considering that the data Google has access to includes laboratory results, doctor diagnoses, hospitalization records and individuals’ complete medical histories. However, even more worrying is the fact that this data is connected to patient names and dates of birth, which makes the data individually identifiable. It is this last fact that raises the most concerns over data privacy and protection. To develop the tools and applications that Google says they are going to develop for Ascension, they do not need individually identifiable data. Mark Rothstein, a bioethicist and public health law scholar at the University of Louisville, says of Google’s intentions: “The fact that this data is individually identifiable suggests there’s an ultimate use where a person’s identity is going to be important.” He further explains: “If the goal was just to develop a model that would be valuable for making better‑informed decisions, then you can do that with deidentified data. This suggests that’s not exactly what they’re after.” So, what else is Google after? More targeted health-based product advertising perhaps? Whatever Google’s other possible intentions for the data may be, the main issue here is once again data privacy and protection. Should such personal data be provided to tech giants, whose track record with regards to data protection has not been exactly stellar?