‘Nightingale Project’ to Turn Over Millions of Medical Records to Google

A venture between Google and Ascension, one of the largest healthcare providers in the United States, will give the tech giant access to the sensitive medical information of as many as 50 million patients in 21 states.

Its venture with Google, called “The Nightingale Project,” would enable it to improve the experience of patients, consumers, providers and associates, Ascension said, as well as advance its mission of providing compassionate, personalized care to all, especially people living in poverty and those most vulnerable.

As part of the venture, Ascension is moving its IT infrastructure to Google’s cloud, adopting Google’s G Suite productivity and collaboration tools, and exploring artificial intelligence and machine learning applications, it said.

Those steps will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction, Ascension maintained.

“All work related to Ascension’s engagement with Google is HIPAA-compliant, and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling,” the company added.

Whistleblower’s Video

However, a video posted to Dailymotion by a member of the Nightingale team paints a less benign picture of the project.

“Google is secretly transporting data to its own servers without patient knowledge or consent,” the whisteleblower claims in the video.

The video goes on to explain that the project has four stages. The first two move patient data, with patients’ names, to Google’s cloud.

During stage three, Google uses Ascension’s data to build a framework in the cloud.

Then during stage four, Google will mine Ascension’s patient information to run analytics and AI algorithms, sell or share data with third parties, and create profiles of patients that can be used for ads targeted to the patients’ healthcare issues.

Questions were raised about Google’s participation during meetings on the project, the video maintains.

“All of this PII and PHI can be accessed by Google employees, AI algorithms, third parties, advertisers, analytics tools,” the video notes.

“How does Google profit? In the short term and long term they can mine data and sell findings,” it suggests.

“They could create predictive analytics,” the video continues. “Already Google has been found to share data with third parties. How can they be trusted to do anything differently with healthcare data?”

Strict Guidance on Data Usage

Google’s deal with Ascension is a business arrangement to help a provider with the latest technology, similar to the work it does with dozens of other healthcare providers, explained Tariq Shaukat, president of industry products and solutions for Google Cloud, in an online post.

“These organizations, like Ascension, use Google to securely manage their patient data, under strict privacy and security standards,” he wrote. “They are the stewards of the data, and we provide services on their behalf.”

All of Google’s work with Ascension adheres to industry-wide regulations regarding patient data, including HIPAA, and it is subject to strict guidance on data privacy, security and usage.

“To be clear,” Shaukat continued, “under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.”

HIPAA Myth

Although there’s a popular perception that the privacy of healthcare information is rigidly protected by the federal Health Insurance Portability and Accountability Act (HIPAA), that’s not really the case, said Twila Brase, president of the Citizens’ Council for Health Freedom, an advocacy group based in St. Paul, Minnesota.

“What HIPAA really is, is a permissive data sharing rule,” she told TechNewsWorld. “The public has been deceived.”

HIPAA allows healthcare information to be shared for a number of purposes, including payment, treatment, research, law enforcement, judicial proceedings, public health, and healthcare operations, which is broken into more than 65 activities, Brase pointed out.

“What Ascension is doing is using the healthcare operations section of HIPAA to contract with a ‘business associate’ called Google, which is perfectly legal,” she said.

“Patients have lost all consent rights to what happens to their medical records, unless there is privacy law in their state,” Brase added.

Misunderstanding About Sharing

The Google-Ascension venture may shine a light on the misunderstood issue of data sharing in the healthcare industry, said Ben Waugh, chief security officer at Redox, maker of a healthcare data sharing platform, in Madison, Wisconsin.

“People underestimate how many companies have access to medical data. Healthcare providers have to share this data with a large number of companies on a day-to-day basis to provide a person with care,” he told TechNewsWorld.

“When you go to a hospital or medical practice and you sign all those forms, you are signing away permission to share your data with a wide range of companies,” Waugh said. “The news isn’t that Google is doing this. It’s just how much of this data is being shared today.”

Most data sharing is being done with a patient’s well-being in mind, he continued. “I honestly don’t believe folks are being intentionally unethical about sharing. I believe data is being shared for the purpose of making healthcare better.”

However, there’s a serious problem with the way information about sharing is conveyed to consumers, Waugh acknowledged. “There’s a lot of complexity in this system. Providers don’t even know when information they share with a third party is being shared by that third party with someone else.”

The New Asbestos

Consumers should be concerned about how and with whom their healthcare data is shared, said Ameesh Divatia, CEO of Baffle, a data encryption company in Santa Clara, California.

“Healthcare records are even more important than financial records,” he told TechNewsWorld. “When someone compromises your financial information, there are forms of compensation for losses. If someone compromises your healthcare information, there’s no way to measure how much damage it can cause.”

Still, data sharing is a necessity, Divatia said.

“Data is always going to be shared. There’s no way around it. That’s the world we live in right now,” he continued. “Everyone says that data is the new oil. It’s also the new asbestos. If you don’t use it responsibly, it can have some really bad effects.”