The Wall Street Journal reports Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans.
Google is engaged with one of the U.S.’s largest health-care systems on a project to collect and crunch the detailed personal-health information of millions of people across 21 states.
The initiative, code-named “Project Nightingale,” appears to be the biggest effort yet by a Silicon Valley giant to gain a toehold in the health-care industry through the handling of patients’ medical data. Amazon.com Inc., Apple Inc. and Microsoft Corp. are also aggressively pushing into health care, though they haven’t yet struck deals of this scope.
Google began Project Nightingale in secret last year with St. Louis-based Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices and other facilities, with the data sharing accelerating since summer, according to internal documents.
The data involved in the initiative encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.
Neither patients nor doctors have been notified. At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents.
Federal Inquiry Underway
A Federal Inquiry into Google’s ‘Project Nightingale’ is now underway.
Google’s project with the country’s second-largest health system to collect detailed health information on 50 million American patients sparked a federal inquiry and criticism from patients and lawmakers.
The Office for Civil Rights in the Department of Health and Human Services “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” the office’s director, Roger Severino, said.
Ascension, without notifying patients or doctors, has begun sharing with Google personally identifiable information on millions of patients, such as names and dates of birth; lab tests; doctor diagnoses; medication and hospitalization history; and some billing claims and other clinical records.
Ascension has more than 2,600 facilities like hospitals and nursing homes in 21 states and Washington, D.C.
Conceptual images of the software under construction show an interface much like Google’s flagship search engine. Begin to type in a first name, and Google will produce a drop-down menu featuring other patients with similar names. A single click reveals metabolic data, medications, phone numbers and even the patient’s temperature.
The concept gave some Ascension patients pause.
Google and Ascension have signed what is known as a business associate arrangement, which specifies when a health-care vendor can access patient data. Ascension retains ownership of the data, people familiar with the matter said. Neither Google nor Ascension would give details on who at Google can access data.
HIPAA Violation?
Please consider What Information is Protected Under HIPAA Law?
HIPAA laws protect all individually identifiable health information that is held by or transmitted by a HIPAA covered entity or business associate. According to the Department of Health and Human Services’ Office for Civil Rights there are 18 identifiers that make health information personally identifiable. When these data elements are included in a data set, the information is considered protected health information and subject to the requirements of the HIPAA Privacy, Security and Breach Notification Rules.
Information may be disclosed to third parties for those purposes, provided an appropriate relationship exists between the disclosing covered entity and the recipient covered entity or business associate. A covered entity can only share PHI with another covered entity if the recipient has previously or currently has a treatment relationship with the patient and the PHI relates to that relationship. In the case of a disclosure to a business associate, a business associate agreement must have been obtained. In all cases, the minimum necessary standard applies. Disclosures must be restricted to the minimum necessary information that will allow the recipient to accomplish the intended purpose of use.
The following information is protected under HIPAA law:
- Names
- Addresses (including subdivisions smaller than state such as street, city, county, and zip code)
- Dates (except years) directly related to an individual, such as birthdays, admission/discharge dates, death dates, and exact ages of individuals older than 89
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate and license numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Website URLs
- IP addresses
- Biometric identifiers, including fingerprints, voice prints, iris and retina scans
- Full-face photos and other photos that could allow a patient to be identified
- Any other unique identifying numbers, characteristics, or codes
Who Has Access to What?
There may be more than a bit of a problem here, depending on how the data is stored and shared and what access Google has to it.
“At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents.”
Note that “prior to any use or disclosure of health information that is not expressly permitted by the HIPAA Privacy Rule, one of two steps must be taken.“
- A HIPAA authorization must be obtained from a patient, in writing, permitting the covered entity or business associate to use the data for a specific purpose not otherwise permitted under HIPAA.
- The health information must be stripped of all information that allow a patient to be identified.
Sign Here Please
“Neither Google nor Ascension would give details on who at Google can access data.“
Does anyone even know?
Did Ascension get signatures from all its patients?
If so, did they have any idea what they were signing?
Mike “Mish” Shedlock
Alcoholism is used for alcohol addicts. They are addicted to alcohol and use it frequently. Such patients need proper care to involve them in real-life activities. There are few Luxury Rehab centers that are providing luxury treatment to drug addicts.To join them click”>link to luxuryrehab.com here They are a network of world-class luxury rehab centers. You can access them to get a better life.
click” target=”_blank” rel=”nofollow”>https://www.luxuryrehab.com/’>click
hy
Google is in it for the money. No matter what benefits and progress they will be touting about great new possibilities, the bottom line is that they will find ways to leverage it so that they are making money, most of which will be a transfer of costs to other people in hidden and obscure ways.
If HIPAA cannot prevent this abuse, then it is worthless.
I won’t pretend that I know if this project is HIPAA-compliant, I am not a lawyer. But I do know that Google and its partners and customers can identify individuals from the data they are collecting. With Google’s access to loads of personal data, a quick search would suffice.
Since plenty of identifying information is being given to Google, and patients did not give consent — they were not even informed — Google’s legal argument is tenuous at best.
More importantly, Google doesn’t even try to justify their unethical behavior — they have no case there at all. They jumped straight to a legal defense because there is no ethical defense.
Hundreds of Google employees who have no medical need to know can now search a patients name and find out if that patient has embarassing medical treatments. Imagine if the gays in San Fransisco (aka Google-land) realized their medical history was available to the public — they don’t get to come out to their parents or decide who knows about their HIV status, the decision belongs to a faceless corporation with no ethics and a slimy compliance department. Google employees would be livid if they were treated the way they are treating Ascension patients. That is the relevant metric, not whether an ambulance chaser can find a loophole in HIPPA law.
Doctors in the Ascension system now have a major problem. Even if Google’s ambulance chasers find a way to weazel out of legal liability, doctor patient trust has been destroyed. Anything you tell your doctor will be on Google servers within 24 hours, so don’t tell your doctor anything you don’t want to be neighborhood gossip.
In many ways it actually sucks that medical records are so fragmented and provider systems don’t talk to each other very well/consistently. A long line of companies have been trying to become the de facto central aggregator of health records in the US for decades. I was working on an attempt at a big online medical info site 15 years ago. What became clear is that only a mega player like a Microsoft or a Google has a chance of becoming that central aggregator — if it is possible at all, given exactly this kind of push-back from the public.
It would be extremely surprising if Google wasn’t all over HIPAA compliance in this project. Ignoring or skirting HIPAA requirements in that space is unthinkable. Most likely Jojo is right that there is some fine print somewhere that these patients signed at some time, that Google’s lawyers can argue allows this project to slurp their records. We have probably ALL signed that same crap multiple times, if you’ve ever been to a doctor.
Just because something is legal (or not explicitly illegal) doesn’t mean it is ethical or the right thing to do.
Google employees with confidential medical situations (its San Fransisco with all its gays and HIV stuff) — would be horrified if their medical information were treated this way.
Apparently California is going to fund training on how to discuss gun “safety” with their patients.
I am not aware of doctors discussing vehicle or other non medical safety with patients.
As in any totalitarian, and getting ever more so, hellhole: Increasingly, the only real cash flow available to those connected, come by way of forced transfers. Health care is a prime conduit for this, since the pliable indoctrinati have by now been rendered sufficiently clueless that they can be reliably counted on to fall for the idiocy that there is something “special” about one guy doing another one a service, as long as some half literate but well connected hack has arbitrarily classified that service as a “health care” one. So, then it is suddenly OK for the government to stampede all over freedoms, because “thiiiiz tiiiime iiiiits diiiiiferent.”
As always, once the government, and it’s institutions; like courts, central banks, legislatures etc.; is involved; the way to maximize shareholder value, is always to focus on having those institutions take from others and hand to you. Rather than to attempt creating something said others are willing to pay for voluntarily, uncoerced and despite their ability to decline not being impeded in any meaningful way.
So the former is what companies like Google, Amazon and the rest, will focus ever more of their resources on accomplishing: Inserting themselves into value chains where the ultimate payer for the “service” rendered, is to the greatest extent possible rendered unable to fully decide whether, and whom, to pay or not. Instead he is simply being de facto forced to contribute to the rent seeking by all manners of “experts” other connecteds, whose authority ultimately rests on nothing more than government’s assymetrical access to guns.
What Does Google Know About Your Health?
I don’t think they know much.
I have Medicare Advantage with Kaiser. I am a huge fan of KP.
Anybody that wants that data already had it. Corporate security is a bad joke.
Makes sense. Healthcare is a mess, its bloody expensive and accounts for something like 12% of US GDP. The other issue (not mentioned anywhere) is that computer diagnostics are on the way…for many patients now the amount of data available is “too much” for clinicians — and a computer is indifferent if there are 10 or 200 data points. The second issue is that healthcare providers are always looking for ways to cut costs…my guess is that the Google/Facebook/Amazon services are very very cheap (because of the big data implications).
I will guess that you will find Amazon and Facebook here too. their bread and butter is data — and this is a vast untapped resource for them.
Also, don’t underestimate the value of the data for patient care and “choice” as it may be. People forget the unintended consequence of data crunching.
18%
What Do You Know About Me?
It’s way too difficult to find out what data companies are collecting about you. link to slate.com
Is this not socialism/communism?? Where are the red scare posters regarding this hells bells moment in time?
It’s not totalitarianism (which encompasses socialism/communism as well as fascism/”social democracy” and other affronts to freedom), if patients, doctors and other care providers retain genuine, de facto access to route around the whole mess without any interference from any government connected institution.
Which of course they don’t have in our totalitarian dystopia. But some quack in the Wyoming Territory possibly telling a local medicine man about elixir he gave some native to try sobering up before a buffalo hunt, didn’t make America as of then a totalitarian country. It only became totalitarian once government mandated this and that, restricted who could practice what, enforced “know your customer” and other nonsensical laws etc. Such that people’s ability to route around the whole thing by inviting some Filipinos they trust to come over and treat them in exchange for anonymized Bitcoin, is de facto restricted. And they are hence no longer realistically free to make avoid dealing with the connected party members and leeches who are fleecing, subjecting, harassing and feeding off of them.
No, it’s capitalism. They’re looking to get somebody else’s money into their pocket.
It may not matter based on how HIPAA is defined. It doesn’t limit the data to care providers.
12 Nov 2019
Google rushes to explain what it’s doing with all that medical data
link to androidauthority.com
When you signed your agreement with your MD, likely something like 3-5 pages of fine print, rest assured that somewhere in there you accepted your MD’s organization to share your data with partners as long as they also agreed to follow HIPAA law.
And here is an article you may want to read:
What Do You Know About Me?
It’s way too difficult to find out what data companies are collecting about you.
Nov 11, 2019
link to slate.com
Sounds like Ascension outsourced their medical records to a group owned by or inside Google. If my guess is correct that Ascension got a very good price for the service, those who an animated by medical costs may want to hold their venom on this one.
Speaking of horror, there is probably not a computer person alive who has:
Had contact with or had information about medical records.
Not been horrified.