You may not have read about it in the news, but Google has partnered with Ascension, one of the largest nonprofit health systems in the country. The Catholic hospital system operates in over 20 states, and accumulates a great deal of patient data, which Google will now have the ability to analyze. The project under which Google has gained access to this information is being called “Project Nightingale.” But is it a nightmare in disguise?
Project Nightingale doesn’t represent the first time that hospitals have worked with technology companies, but it is noteworthy because it involves a great quantity of patient data being placed in the hands of a third-party tech company without patients’ knowledge, or that of their doctors. After the Wall Street Journal reported on the partnership, Ascension rushed to assure the public that Project Nightingale was “HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.” It’s unclear how much reassurance patients will find in Ascension’s public statement.
Why would a hospital or hospital system share patient data with a technology company in the first place? The stated goal is to be able to analyze large quantities of data in order to help hospitals and healthcare providers develop insight into the care needs of patients and identify the best possible treatments for certain ailments.
Another reason that health systems to store patient healthcare data in the cloud rather than on-site is that doing so allows them to focus their efforts on their stated goal—patient care—rather than data management and the challenges of developing an infrastructure for that purpose. Storing patient information in the cloud also makes it easier for care providers to access charts from a variety of devices throughout the healthcare system.
What exactly is “the cloud?” It’s not some great server in the sky; it is a system that allows data to be stored in several locations. This serves a number of ends: it offers protection against fire, power outage, or natural disasters; it allows data to be accessed more rapidly; and it can allow for more predictable data management costs. It’s easy to see that there would be a benefit to a healthcare system like Ascension and others.
You may never have heard of the Ascension hospital system, but chances are that you’ve heard of the Mayo Clinic, which has also launched a partnership with Google—this one designed to last ten years. The Mayo Clinic will be sharing data in Google’s “cloud” and using tools developed by Google to analyze clinical data. The clinic insists that identifying information would be stripped from patient information shared with Google. However, that is not the case with Project Nightingale, per a CBS report.
What is hospitals’ obligation to share the nature of these data-sharing arrangements with their patients, physicians, and staff? On the one hand, these initiatives are intended to benefit patients in the long run. On the other, patients are likely to have justifiable concerns about the safety and privacy of their personal health information. It is true that large technology firms have state-of-the-art security in place to safeguard data, but given data breaches from other well-known companies, patients may not feel completely at ease, even given Google’s enhanced security.
According to the Wall Street Journal, up to 150 employees of Google may already be able to access information regarding several million patients. This report comes from anonymous sources. It is also reported that a number of employees of the Ascension system have questioned the way patient information is being gathered and shared.
PHI data used in insurance fraud is both more lucrative and harder to trace than credit cards or bank fraud, due to protections banks have put in place.
Why would a bad actor be interested in medical information? It turns out that personal health information (PHI) data is highly valued on the black market, and many hackers prefer it to credit card data. PHI data used in insurance fraud is both more lucrative and harder to trace than credit cards or bank fraud, due to protections banks have put in place. With health information storage, insider breaches are reportedly on the rise. That means once someone with legitimate access to your records grants that access to someone else, your data is at risk.
If you are uncomfortable with the idea of your personal health information being stored in the cloud, you are not alone. So what should you do about it? The first step is to speak with your health care providers and ask how patient data is stored and specifically, whether it is stored in the cloud. If it is, ask for details on how it is secured. Your doctor or nurse may not have specific answers, so find out who does. Make your objection known if you do not receive adequate reassurance that your information will be protected. Don’t assume that HIPAA protects your data from being shared with third-party technology companies.
If you have further questions about safeguarding your personal data or other assets, contact our law office.