This week, Google was strung up in the public square for a deal with a very large U.S. healthcare provider that netted it access to some 50 million patient healthcare records—without patients’ or doctors’ knowledge. As Google pushes more deeply into healthcare, Americans are left wondering whether they’re unwittingly handing over personal information to a company that has a history of mishandling it.
On Monday, the Wall Street Journal broke a story about how healthcare provider Ascension was providing Google with access to millions of patient health records as part of a project called Nightingale. Google had mentioned a partnership with Ascension during its second quarter earnings call, though the details of it were not previously known. The WSJ report revealed that Google is creating productivity tools for doctors that sift through complete medical records for pertinent data and make recommendations. The scope of the project and the public outrage has drawn the eyes of the Civil Rights Office of the Department of Health and Human Services, which is looking into whether Google is appropriately accessing patient data and adequately safeguarding it.
In an op-ed in the Guardian, an anonymous whistleblower who worked on Nightingale said they think there is great promise in using Google’s enormous computing power on medical data. “But the disadvantages prey on my mind,” they wrote. “Employees at big tech companies having access to personal information; data potentially being handed on to third parties; adverts one day being targeted at patients according to their medical histories.”
In response, Google has only issued a somewhat bewildering blog post, in which it explains the project and promises to work with regulators. The company also notes that it has a whole list of healthcare partners, including Cleveland Clinic, Kaiser Permanente, and the Mayo Clinic, among others, many of which are listed publicly. Much of what they use is Google cloud hosting and the productivity software G-suite. Some are also using Apigee, an app development and management platform that lets companies open up their data to outside developers. Kaiser Permanente first started using Apigee in 2013 to let developers create apps around its services, locations, and hours of operation (Google acquired Apigee in 2016).
As healthcare migrates online, there are questions about how patient data will be kept safe.
While Google hasn’t clarified the extent of its other partnerships, what Ascension and Google are working on is more representative of what Google wants to do in the future. The two companies are shifting Ascension’s healthcare infrastructure and data to the cloud and developing new tools they hope will make medical care better. Despite outcry over the lack of consent Google and Ascension obtained, the fact that patients were not notified of this arrangement is not necessarily unusual. HIPAA requires that electronic patient data must be kept confidential, but allows providers to disclose it for operational purposes like “improvement activities” as long as they have a business associate agreement outlining protections. HIPAA also requires healthcare providers to only share the minimum data necessary. But HIPAA, written in 1996, is not tailored for the digital age. As healthcare migrates online, there are questions about how patient data will be kept safe.
While Google’s creep into the healthcare system has been quiet, certainly its intentions have not. Alphabet, Google’s parent company, has been developing healthcare technology inside of Verily and DeepMind for years. In October, at a health tech conference in Las Vegas called HLTH, Google’s head of health David Feinberg spoke onstage at length about everything the company has planned and is already doing: making medicine more predictive and patient data more portable.
“Imagine a search bar on top of your [electronic health record] that needs no training. You can write ‘pneumonia’ and ‘chest X-ray’, you could even spell ‘penicillin’ wrong, you can ask for blood counts, and we know what you’re thinking about the same way we do when you Google-search in the rest of your life,” he said. Of course, all that takes precious patient data.
Google isn’t the only big tech firm with these ambitions. Facebook wants to give you health advice. Amazon has teamed up with JP Morgan and Berkshire Hathaway to attempt to improve healthcare for their employees (and one day maybe the rest of the country). But each of these companies has rich histories of mishandling user data.
Google has gotten in trouble with European lawmakers for failing to disclose how it collects data and U.S. regulators for sucking up information on children and then advertising to them. The company has exposed the data of some 52 million users thanks to a bug in its Google+ API, a platform that has been shutdown. Even in the field of health, it has already made missteps. In 2017, the U.K.’s Information Commissioner’s Office found the way patient data was shared between the Royal Free Hospital of London and DeepMind for a health project to be unlawful. The app involved, Streams, which detects acute kidney injury, has since controversially been moved under the Google Health umbrella. More recently, a lawsuit accused Google, the University of Chicago Medical Center, and the University of Chicago of gross misconduct in handling patient records.
In addition to these incidents, Google has failed to keep promises. For instance, when the National Health Service in the U.K. first signed up to contribute health data for the development of DeepMind’s Streams app, it was under the agreement that the company would never share that information with its ad-slinging parent. At the time, DeepMind also had an independent panel of medical and data experts overseeing its use of medical data to ensure proper use. DeepMind’s entire health team has now been transferred to Google Health and that panel has been shutdown. As a result, some partners, who were previously working on Streams, have dropped off.
In addition to these incidents, Google has failed to keep promises.
Throughout all of this, Google has maintained that it will not funnel patient data into its giant ad-targeting repository. Legally speaking, it’s not allowed to. Now, thanks to the Ascension whistleblower, it will have to endure some regulatory oversight. There’s also some hope that the slow-turning wheels of Congress may be gearing up to provide broader guidance on how to incorporate big tech companies into healthcare systems. At the end of last year, the Office of Civil Rights sought comment from the public on how to update HIPAA to allow healthcare providers to share information while also maintaining patient privacy.
In the meantime, Google will have to convince the skeptical masses that it’s capable of responsibly managing the patient data it receives. Feinberg, its health chief and former CEO of Geisinger, a healthcare system that serves 1.5 million patients, is under the impression that it is.
“The final question I had to ask myself when I made this decision to go into this tech company was . . . will you allow those people to be treated like they are my own patients?” he asked onstage at HLTH. “Can you assure me that they’ll be treated with the highest level of trust and safety and quality, culturally dignified, that it will be sensitive?”
The company said yes, apparently. “Nine months into it, I’m actually certain that that is true. I feel very confident in my ability to say what we’re providing I would want for my own patients and my own family.”
Of course, Google can always do what it wants, wait for regulators to step in, and eat the legal costs. It doesn’t even necessarily have to keep Feinberg at the helm. How it proceeds will ultimately depend on how valuable patient—and public—trust is to Google.