Google is teaming with one of the country’s largest health-care systems on a secret project to collect and crunch the detailed personal health information of millions of Americans across 21 states, according to people familiar with the matter and internal documents.
[…]The data involved in Project Nightingale includes lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, complete with patient names and dates of birth.
Neither patients nor doctors have been notified. At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter.
There’s a lot of money to be made in healthcare, and it was only a matter of time before creepy technology companies like Google would want a piece of this pie – through massive amounts of personal information.
Technically, this is all above board, though. It’s fully within federal regulations and laws, so this practice is unlikely to stop.
There have been numerous abortive attempts to share NHS medical data in the UK without proper consent from patients.
The biggest failure was when the UK government tried to implicitly opt-in the whole of the NHS population to commercial datasharing. Eventually the scheme had to be scrapped: https://www.wired.co.uk/article/care-data-nhs-england-closed
In 2017 it turned out Google had been illegally given UK patient data. The fault was with the NHS, which handed over the data without consent (the ICO didn’t apply any sanctions though): https://www.telegraph.co.uk/technology/2017/07/03/googles-deepmind-nhs-misused-patient-data-trial-watchdog-says/
More recently, NHS Digital tried to hand data to Home Office immigration services: https://www.independent.co.uk/news/health/nhs-patient-data-immigrant-uk-government-hostile-environment-information-a8343681.html
I couldn’t read the (paywalled) WSJ article, but from the summary it sounds potentially worse than any of these.
Everyone seems to agree that medical data sharing offers huge research benefits that could improve healthcare, but it also has the potential to seriously undermine patient trust. In most cases, the outcry that follows badly handled data sharing does far more harm than if it were just done right in the first place.
From my own research, I concluded that in general, people have stricter norms for their medical privacy or health privacy than for other privacy concerns.
https://www.igi-global.com/article/political-attitudes-on-the-dutch-electronic-patient-record/120115
Also European regulations would prohibit practices as described here… I also did some work an that.
http://ebooks.iospress.nl/publication/21407
Anyhow, this conflicts with the GDPR and the UK is still a member of the EU. My personal opinion is that legal action should be taken, because an EU Regulation takes precedence over national laws. But I’m not familiar with de details of this case.
Fascinating and thanks for sharing your publications. The original article relates to the US rather than the UK, so no GDPR to apply unfortunately.
My bad…. I was under the impression (reading too fast) that it was about the UK. Indeed, in the US it is altogether different, although HIPAA might cover a few aspects — I’m however not familiar with the HIPAA.
https://www.hhs.gov/hipaa/index.html
Well, it’s certainly not legit according to the annual HIPAA certification course I have to take. It violates the “least necessary” principle (thou shalt share only that which is least necessary for care), and while they’re pretending to be “covered entities”, there is no existing relationship between myself and Project Nightingale *as a patient*.
See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/permitted-uses/index.html for some breakdowns of what is and isn’t allowed, and I don’t see how this can withstand any level of legislative scrutiny.
Thom Holwerda,
Are you able to read these articles behind the paywall? I’m not sure if you are aware that many of us cannot.
Anyways, I find that google getting medical data without permission is unethical. Whether it’s google buying up all visa & mastercard personal credit card transactions, medical data, tracking in android or web bugs, or anything else, the main problem with all these things is always the same: WE NEED TO OPT-IN!!!!! The law should always require they get our consent! Unfortunately in the US this is often not the case; the constitution protects our privacy from government abuse (although even this has been significantly watered down & even ignored by the government in recent generations), but the constitution gives no protection at all from corporations like google (and microsoft, etc) who are all too happy to take data without consent and sometimes even with explicit objection.
Mhmm. Remember “don’t be evil?”
This isn’t the first time Google has gotten into the health sector. They had Google Health from 2008 – 2011, and they have https://health.google/ promoting something like this.
I can’t read the full story, so I’m not sure about the specifics of it. However, this sounds kind of sensationalist, and the data should be anonymous. Sensationalist because there are tons of companies in this field, and Google is just a big target. I personally know at least three health companies who have plans to do this, and several people who work in this field. This isn’t new, and using data science to try and find trends is the next big thing in preventative medicine. Well, everyone thinks it’s the next big thing anyway.
HIPAA is very strict about what can and cannot be done with patient data. One of the things about HIPPA is that information that can be tied to an individual (pesonal health information or PHI) cannot be released without the person’s consent. Any third parties which get access to the data only get access to data which cannot be linked back to a person. Of course, the primary EHR company has access to the PHI, and they can get more specific.
Probably what’s happening is that Google is probably working with a large EHR firm to figure out how to use their AI products to pull stats from submitted data. GCP is HIPAA certified, as much as they can be, (https://cloud.google.com/security/compliance/hipaa/), and there are probably companies using GCP as their backend.
Once again, I can’t read the article, so I’m just guessing about its content.
I was also a bit surprised that the main posting had a paywalled article link. For those of us that don’t have a subscription with a Murdoch family owned web site, The Guardian provided excellent and timely coverage: https://www.theguardian.com/technology/2019/nov/12/google-medical-data-project-nightingale-secret-transfer-us-health-information
Additionally, the description of Ascension;’s deal with Google being HIPAA Compliant seems very suspect to me, since Google is not a licensed and registered health provider, and still seems to violate some of the patient medical history and demographic data protected by HIPAA: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
It’s not the first time they are collecting this type of data.. It’s actually the first time they accumulated enough information from this to be able to sell the product, or at least test it at a larger scale.
In Asia they’ve been testing algorithms that allow companies to pick people based on their social information and how they are reacting via video conference to the interviews, to assign tasks within the workforce based on the workers habits and allow insurance companies know in advance of which disease someone could be suffering based on their current medical information.
There are many more areas which this can be used nevertheless..