Project Nightingale seems to square with HIPAA, but next steps matter

While Google apparently signed a business associate agreement with Ascension, and the scope of the data sharing appears to be in line with HIPAA allowances, there are still many questions about how the patient information is being put to use.
By Nathan Eddy
02:24 PM

The health data sharing collaboration between Google and Ascension has raised some big concerns nationwide – starting with some employees at Ascension – about what the initiative could mean for patient privacy.

The so-called "Project Nightingale," overall does appear to meet HIPAA compliance standards, based on Google's and Ascension's own statements and what has been reported so far by The Wall Street Journal and others.

But the news that Google – which makes its money off data-based advertising and has long been the subject of privacy concerns – would have access to protected health information has understandably raised some alarms across an industry where privacy and security are meant to be paramount. (The partnership has now led to a new federal inquiry.)

CNBC reported that, while Ascension and Google did sign a business associate agreement, as required by HIPAA, "some Ascension employees were concerned that some tools that Google is using to import and export data were not compliant with HIPAA privacy standards."

As Ray Ray D'Onofrio, principal data analyst at technology consultants SPR explains, "development tools such as Google Data Studio can be problematic with HIPAA compliance, features such as logging of data changes, access controls for data viewing and screen locks are often not native."

However, "tactical HIPAA compliance is a bit of a red herring," he said. "It is the spirit of HIPAA that should be question – is data acquired and use of the data specifically providing value to the patient?"

In a blog post, Tariq Shaukat, president, industry products and solutions at Google Cloud, said the company has a BAA with Ascension, governing the use of PHI "for the purpose of helping providers support patient care."

Ascension and Google both quickly released statements on Monday, clarifying the purpose and scope of the arrangement, following WSJ's initial report. D'Onofrio opined that "the awkward announcements hint that neither Google or Ascension Health intended the sharing of data would be made public," or at least not as soon as it was.

In his blog post, Shaukat clarifies that, under conditions of the BAA, "Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data."

Indeed, HIPAA stipulates that a business associate may gain access to protected health information "only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes."

But security expert Dr. Saif Abed, CEO of Boston-based Clinical Cyber Defense Systems, points out that the sheer potential value of the insights that can be derived from vast collections of patient data means there is always the potential that an analytics organization could push the boundaries of what is considered fair and ethical use.

So he said he understands why many are concerned that, over time, the patient data being analyzed might find its way into any number of different projects that were not the initiative's primary goal, and perhaps only loosely related to healthcare.

"Given that de-identification and anonymization frankly seldom truly exists, this could lead to a raft of, in essence, large scale privacy breaches and ethical misuse cases," he said.

A question of scale and scope

Deven McGraw, former Deputy Director for Health Information Privacy at HHS Office for Civil Rights and now chief regulatory officer at health data startup Ciitizen, said that, in some regards, the Ascension-Google collaboration "is not unlike arrangements that happen every day in America between hospitals and other covered entities and contractors performing services on their behalf.

"Many hospitals have hundreds of business associates, all with extensive access to PHI," she said.

The difference here is that the vendor is Google, "which has access to so much other data about individuals," leading to "some uncertainty about other ways that Google might try to use and monetize the Ascension data."

The stated aim of the project is one of software development, with the data helping inform AI algorithms and improve the use of the product.

But with Google, "I think there are concerns that it may not be possible for data to be truly de-identified in their hands, given all of the data to which they have access," said McGraw.

A similar point was raised by healthcare attorney Matthew Fisher, partner at Westborough, Massachusetts-based Mirick, O'Connell, DeMallie & Lougee, who echoed McGraw's assessment that Project Nightingale is "not fundamentally that different from the sorts of interactions that occur between healthcare organizations, such as Ascension, and vendors, such as Google, on a daily basis."

As long as Google "fulfills its privacy and security obligations under HIPAA with regard to the protected health information provided by Ascension, there is no HIPAA issue on the face of things," said Fisher. "A big unknown about the relationship, though, is whether Google will be permitted to de-identify the Ascension patient information.

"If protected health information is de-identified in accordance with HIPAA, then the data are no longer covered by HIPAA," he said. "However, given the enormous amount of data held by Google, a maybe not so academic question exists of whether data can be de-identified when in Google’s possession.

That's essentially the gist of an ongoing lawsuit involving Google's work with the University of Chicago. The plaintiff alleges that, despite being deidentified, Google's expertise in data mining and AI makes it "uniquely able to determine the identity" of the medical records shared with it by the university."

Ultimately, said Fisher, if either Ascension or Google don't "comply with obligations under HIPAA and a breach or violation occurs, then OCR or an Attorney General can take action.

Time to rethink privacy protections?

Big picture, it's probably time for policymakers to reexamine the mechanisms and regulatory frameworks in place to protect patient data.

Abed, of Clinical Cyber Defense Systems, points out that privacy and security regulations need to be strong enough on the side of the patient to be able to hold organizations managing their data to account.

"We have to remember that the average person is not a security expert and can easily be overwhelmed by technical jargon from suppliers professing how secure and trustworthy they are," he said.

"The use of patient data is a struggle of extremes," added D'Onofrio of SPR. "At one end is the important role population data plays in managing the cost of healthcare" and driving improvements in population health and precision medicine, he said. "At the other extreme is the desire to keep our personal health information private."

It's exactly that delicate balance that McGraw has been exploring recently in a series of discussions about the "Goldilocks dilemma" of health data sharing.

It may also be worth assessing the strength these days of HIPAA, which is nearly 25 years old and dates from well before the technological innovations driving these new conversations.

Indeed, one open question, said McGraw, is "whether Google will combine its data (such as data from search) with the Ascension data in order to augment its services to Ascension (for example, predictive analytics based on both clinical and social data). This would also be permissible under HIPAA, as Ascension faces few limitations under HIPAA in how it collects data."

She also offered the view that, "if Google wants to be a trusted player in healthcare, they could also take steps to firewall off (both technically and through contractual and privacy policy commitments) the data they are collecting as part of their health care work from other aspects of their business."

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer:
Twitter: @dropdeaded209

Healthcare IT News is a publication of HIMSS Media.


Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.