U.S. Sens. Amy Klobuchar, D-Minn., and Lisa Murkowski, R-Alaska, urged Wednesday, Nov. 13, the Department of Health and Human Services to examine a collaboration between Google and Ascension health system that enables Google to collect the personal health information of roughly 50 million Americans, including personally identifiable information, lab results, hospital records, and physician diagnoses, without their knowledge or consent.
According to the Wall Street Journal, neither Ascension patients nor physicians were informed of the agreement before the data sharing program known as Project Nightingale began. Roughly 150 Google employees now have access to Ascension patients’ personal health information, which allegedly includes identifiable patient data.
While Google claims the data sharing agreement is permitted under the Health Insurance Portability and Accountability Act, or HIPAA, the partnership raises significant questions concerning the safeguarding of private health data. Under HIPAA, covered entities like hospitals are allowed to share protected health information with “business associates” to “help the covered entity carry out its health care functions -- not for the business associate’s independent use or purposes.”
However, according to a news release, Google reportedly declined to comment on whether it would use this data for profit or to conduct independent research -- both of which could potentially fall outside the scope of HIPAA protections.
In a letter to HHS Secretary Alex Azar, the senators sought information regarding Google and Ascension’s partnership out of concern for the protection of patient data, and asked whether HHS agrees with the broad interpretation of HIPAA by which Project Nightingale is reportedly operating, in that Google is permitted to receive personal health information without patient consent from Ascension as a “business associate.”
“Technology has undoubtedly made it easier for people to monitor and control their own health and health care decisions, but it has also given companies more access to personal and private health data with very few rules of the road in place to regulate data sharing, processing, and analysis,” the letter reads. “We have introduced legislation to strengthen privacy and security protections for consumers’ personal health data by requiring the creation of meaningful health data privacy regulations for entities not currently regulated under HIPAA.”
Klobuchar and Murkowski are the authors of the Protecting Personal Health Data Act, bipartisan legislation intended to protect consumers’ private health data not covered under existing privacy law. While recent reports have highlighted how home DNA testing kits and health data tracking apps have given companies access to unprecedented levels of consumer health data, current law does not adequately address the emerging privacy concerns presented by these new technologies. The Protecting Personal Health Data Act addresses these health privacy concerns by requiring the Secretary of HHS to promulgate regulations for new health technologies such as health apps, wearable devices like Fitbits, and direct-to-consumer genetic testing kits that are not regulated by existing laws.