11.13.19

Klobuchar, Murkowski Urge Department of Health and Human Services to Examine the Collaboration between Google and Ascension Health System over Privacy Concerns

Today, U.S. Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) urged the Department of Health and Human Services (HHS) to examine a collaboration between Google and Ascension health system that enables Google to collect the personal health information of roughly 50 million Americans—including personally identifiable information, lab results, hospital records, and physician diagnoses—without their knowledge or consent. According to the Wall Street Journal, neither Ascension patients nor physicians were informed of the agreement before the data sharing program known as ‘Project Nightingale’ began. Roughly 150 Google employees now have access to Ascension patients’ personal health information, which allegedly includes identifiable patient data. While Google claims the data sharing agreement is permitted under the Health Insurance Portability and Accountability Act (HIPAA), the partnership raises significant questions concerning the safeguarding of private health data. Under HIPAA, covered entities like hospitals are allowed to share protected health information with “business associates” to “help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes.” However, Google has reportedly declined to comment on whether it would use this data for profit or to conduct independent research—both of which could potentially fall outside the scope of HIPAA protections.

In a letter to HHS Secretary Alex Azar, the senators sought information regarding Google and Ascension’s partnership out of concern for the protection of patient data, and asked whether HHS agrees with the broad interpretation of HIPAA by which ‘Project Nightingale’ is reportedly operating, in that Google is permitted to receive personal health information without patient consent from Ascension as a “business associate.”

“Technology has undoubtedly made it easier for people to monitor and control their own health and health care decisions, but it has also given companies more access to personal and private health data with very few rules of the road in place to regulate data sharing, processing, and analysis. We have introduced legislation to strengthen privacy and security protections for consumers’ personal health data by requiring the creation of meaningful health data privacy regulations for entities not currently regulated under HIPAA,” the senators wrote.

Klobuchar and Murkowski are the authors of the Protecting Personal Health Data Act, bipartisan legislation to protect consumers’ private health data not covered under existing privacy law. While recent reports have highlighted how home DNA testing kits and health data tracking apps have given companies access to unprecedented levels of consumer health data, current law does not adequately address the emerging privacy concerns presented by these new technologies. The Protecting Personal Health Data Act addresses these health privacy concerns by requiring the Secretary of HHS to promulgate regulations for new health technologies such as health apps, wearable devices like Fitbits, and direct-to-consumer genetic testing kits that are not regulated by existing laws.

The full text of today’s letter can be found HERE and below:

 

Dear Secretary Azar:

CC: Roger Severino 

We write to raise concerns about recent reports detailing a collaboration between Google and Ascension health system that enables Google to collect the personal health information of roughly 50 million Americans—including personally identifiable information, lab results, hospital records, and physician diagnoses—without their consent. We encourage the Department of Health and Human Services (HHS) to examine this initiative—known as ‘Project Nightingale’—to ensure compliance with federal health privacy law and the protection of Americans’ most personal and private health data. 

According to the Wall Street Journal, neither Ascension patients nor physicians were informed of the agreement before the data sharing program began. Roughly 150 Google employees now have access to Ascension patients’ personal health information, which allegedly includes identifiable patient data. While Google claims the data sharing agreement is permitted under the Health Insurance Portability and Accountability Act (HIPAA), the partnership raises significant questions concerning the safeguarding of private health data. Under HIPAA, covered entities like hospitals are allowed to share protected health information with “business associates” to “help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes.” However, Google has reportedly declined to comment on whether it would use this data for profit or to conduct independent research—both of which could potentially fall outside the scope of HIPAA protections.

Technology has undoubtedly made it easier for people to monitor and control their own health and health care decisions, but it has also given companies more access to personal and private health data with very few rules of the road in place to regulate data sharing, processing, and analysis between covered entities and non-covered entities. We have introduced legislation to strengthen privacy and security protections for consumers’ personal health data by requiring the creation of meaningful health data privacy regulations for entities not currently regulated under HIPAA. In light of previous incidents that have highlighted the need for additional protections for user privacy on Google’s platform, we are concerned that technological progress is once again taking precedence over adequately protecting Americans’ sensitive information.

In an effort to ensure that ‘Project Nightingale’ is in compliance with federal law and has adequate protections in place, we respectfully ask that HHS answer the following questions:

1.)    Given that the Office for Civil Rights has reportedly announced plans to initiate an inquiry about ‘Project Nightingale,’ what information has been requested from Google or Ascension concerning how each entity plans to ensure the protection and privacy of patient data?

2.)    Has HHS learned whether Google ensured their employees with access to protected health information as part of ‘Project Nightingale’ have received training on HIPAA compliance when handling such sensitive information?

3.)    Is HHS aware of any efforts by Google to use the data that is being collected beyond providing tools for Ascension medical providers?

4.)    Does HHS agree with the broad interpretation of HIPAA by which ‘Project Nightingale’ is reportedly operating in that Google is permitted to receive personal health information without patient consent from Ascension as a “business associate”?

Thank you for your attention to this important health and privacy issue. We hope you will continue to work with Congress to ensure Americans’ most private and sensitive data is adequately protected.

Sincerely,

###

Related Issues: Health