Recently, Google announced a business partnership with Ascension, the second-largest healthcare provider in the US. It transpires that, through this partnership, the medical records of 50 million Americans will be transmitted – without the knowledge or consent of the patients. None of the records involved are de-identified.
Data analytics has become synonymous with business success, and the personal information of real people is often viewed in terms of dollar signs and profit margins. In turn, true privacy is often portrayed as an unattainable ethical ideal. However, patient and consumer privacy should not be disregarded. Consumer consent is important, and if obtaining it is unmanageable, data should at least be de-identified, so that it is no longer personal.
On November 11, Google and Ascension signed an agreement, codenamed Project Nightingale, that constitutes the largest data transfer of its kind. Project Nightingale’s goal is to build a medical-action suggestion tool. However, potential ulterior motives have raised red flags across the globe. By the time the transfer is complete, 50 million patient records will have been shared. Last Tuesday, 10 million had already been delivered.
In the past, similar efforts to use technology to improve healthcare have first required data to be de-identified. A good example is the collaboration between Google and Mayo Clinic. But in the case of Google and Ascension, the lack of de-identification suggests that a new boundary of data greed has been pushed, in an effort to make data available for purposes beyond those associated with Protect Nightingale.
No-one should be able to access and manipulate medical records without the knowledge and consent of patients and doctors. Not only is this highly unethical; it is also potentially illegal.
Coupled with the acquisition of Fitbit earlier this month, Google appears to be on a mission to become a major stakeholder in the healthcare industry. It is unlikely that Google wants to do this for the common good. After all, Google’s actions undermine the basic right to privacy afforded to all individuals. The company’s new ability to combine search and medical records for business gain is troublesome.
Project Nightingale may have violated HIPAA
Since neither patients nor doctors were made aware of Project Nightingale, Google is at risk of a HIPAA violation. In fact, a federal inquiry has already been launched.
Under the law, even healthcare professionals must get permission to access health records. Why wouldn’t big tech?
Google has repeatedly insisted that it will follow all relevant privacy laws. However, with the volume and variety of data that the company holds on the average individual, this case likely pushes into uncharted territory that few regulations currently govern.
Even if the secret harvesting of data is not determined to have breached HIPAA, it has undoubtedly crossed the ethical boundaries of healthcare.
Google employees can access medical records and use them to make money
Through this partnership, Google plans to create a search tool, designed for medical professionals, that suggests prescriptions, diagnoses, and doctors.
While the public aim may be to improve patient outcomes and reduce spending, a whistleblower expresses concerns that Google “might be able to sell or share the data with third parties, or create patient profiles against which they can advertise healthcare products.”
With the launch of its newest partnership, Google harvested patient names, lab results, hospitalization records, diagnoses, and prescriptions from over 2,600 hospitals. This data can and has been accessed by Google staff (Source).
With this information,
- Google employees can access the medical records of real people.
- Advertisements can target people based on their medical history.
- Google can pass identifiable health records to a third-party.
The potential misuse of medical records places emphasis on the need to de-identify personal information that is being shared, especially without consent. Patients have now unknowingly been put at risk, and their trust has been completely violated.
Who wants to think that their embarrassing injuries are lunchtime conversations for Google employees? That their cancer is the target of Google ads? That their mental health history is being sold to insurance companies?
As the Google whistleblower puts it, “Patients must have the right to opt-in or out. The uses of the data must be clearly defined for all to see, not just for now but for 10 or 20 years into the future.”
The actions of Google and Ascension cross the boundary of healthcare ethics, signaling a complete disregard for the privacy of patients. When it signed the deal and secretly harvested the medical records of 50 million Americans, Google demonstrated a sense of entitlement and deceitfulness that is entirely unbecoming of a business that already holds an enormous amount of data on the average citizen.
Confidentiality is the foundation of doctor-patient relationships, and if people can no longer trust that their secrets are safe with their healthcare providers, who can they trust?