Google has secretly been gathering the health data of millions of Americans on behalf of the US’ second-largest healthcare provider, Ascension. The data gathered includes lab results, diagnoses, hospitalisation records, and “amounts to a complete health history”, including patient names and dates of birth. This was first reported by the Wall Street Journal, followed by the New York Times.

Dubbed ‘Project Nightingale’, the project involves collection of health data from Ascension’s hospitals without informing patients of such collection. Ascension is a Catholic non-profit that operates 150 hospitals in 20 states and District of Columbia. 

As many as 150 Google employees may have had access to the data, according to WSJ, and “dozens” of Google employees may have access to patient data like name, birth data, race, illnesses and treatments, according to NYTimes. Ascension employees have raised concern that Google employees may have downloaded patient data as well. According to internal documents accessed by NYTimes, “the data of all Ascension patients could eventually be uploaded to Google’s cloud computing platform” under the arrangement. As the project came to light on November 11, Google told The Verge that the project was kept under the radar because it’s still in early stages, though Ascension and Google later made an announcement (more on this below).

What are Google and Ascension working on?

Google and Ascension are testing software that will allow healthcare providers to search a patient’s electronic health record by “specific data categories and create graphs of the information, like blood test results over time”, according to NYTimes. This involves Ascension moving patient records to Google’s servers, with the eventual intention of giving medical professionals better access to patient data, improve care, and get insights on health data to improve treatment.

What about patient data privacy?

Such data collection and its use in the software is governed by the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that regulates how doctors and health providers handle personally identifiable health/patient information. Project Nightingale seems to fall within the bounds of HIPAA, since it allows health providers/hospitals to share patient data with business partners, without informing patients, as long as the information is use in the aid of healthcare services.

Google said it has a Business Associate Agreement (BAA) with Ascension, which “governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care”. Such agreements are standard, and Ascension’s data cannot be used for anything other than what’s in the agreement, the company said. Google also ensured that “patient data cannot and will not be combined with any Google consumer data”.

Ascension’s announcement said that the partnership is aimed at modernising Ascension’s infrastructure by moving to Google Cloud, G-Suite, and also exploring AI/ML applications. The partnership will help shift Ascension’s technology operations from isolated solutions to integrated platforms. Google had mentioned the partnership in an earnings call in July, but provided no specifics. It had simply said that Google Cloud’s AI and ML solutions “are helping healthcare organisations like Sanofi and Ascension improve the ​​healthcare ​​experience​ and outcomes”.

Google and American medical school face lawsuit over a similar project

The University of Chicago Medical Center allegedly violated federal and state health laws by selling patient data to Google to develop AI products, according to an amended lawsuit filed in October. The University gave patient records to Google for commercial purposes, without notifying or obtaining the consent, as part of a research study. The medical school and tech giant both claimed that the medical records were de-identified, but the records contained date stamps and doctors’ notes, the lawsuit claims. It states that:

The University provided Google a partner willing to turn over the information that it desperately needed. Indeed, the University—seeking not much more than notoriety for its collaboration with Google in the development of healthcare products—was happy to turn over. the confidential, highly sensitive and HIPAA-protected records of every patient who walked through its doors between 2009 and 2016.

Google agreed to provide the medical school with a license to use the software it developed, and retained all other IP rights to the software, which was developed using patients’ medical records. “To put it another way,” says the lawsuit. “Google paid the University for medical information (that rightfully belongs to patients) by providing a license to its proprietary software”.

Google’s FitBit purchase

Google just acquired wearables company FitBit for $2.1 billion to help invest further in Wear OS and introduce Made by Google wearables into the market. Apart from the hardware push, the acquisition will give Google access to health data of FitBit’s 28 million active users. FitBit devices have been tracking granular health data of wearers, such as steps taken, calories burned, exercises performed, sleep cycle and quality.

Early in its announcement, Google ensures it will be transparent about what and why data will be collected, stating that “privacy and security are paramount”. FitBit health and wellness data will not be used for Google ads, and FitBit users the choice to review, move, or delete their data. FitBit made the same assurances in its announcement.