The US Office for Civil Rights in the Department of Health and Human Services has initiated an investigation into the Project Nightingale cloud computing deal between Google and US healthcare network Ascension Health, which would give Google access to the detailed health information of millions of patients.
As reported in the Wall Street Journal (WSJ), the regulator will be looking into the data collection to ensure the partnership is compliant with the Health Insurance Portability and Accountability Act (HIPAA).
The partnership between Google and Ascension is set to integrate Ascension’s different areas of health data into the cloud. The two companies have confirmed that they were working together to analyse patient data using artificial intelligence (AI) and machine learning to give healthcare providers new insights and suggestions for patient care.
However, unlike in similar efforts elsewhere, the information was not anonymised before being accessed by at least 150 Google staff.
SPR principle data analyst Ray D’Onofrio said: “The use of patient data is a struggle of extremes. At one end is the important role population data plays in managing the cost of healthcare to the country’s population. Population analytics identify opportunities for earlier detection and more effective treatments, precision healthcare data allows these analytics to be uniquely applied to each patient.
“At the other extreme, is the desire to keep our personal health information private.”
Project Nightingale is the largest data transfer of its kind in the healthcare field so far. It will cover the entire spread of Ascension, a network of 2,600 medical facilities.
As reported by the Guardian, shortly after the publication of the WSJ report an anonymous whistleblower uploaded a video to Daily Motion showing a document dump of hundreds of images of confidential files relating to Project Nightingale.
The Guardian reports that the video included highly confidential outlines of Project Nightingale, laying out the four stages of the project. These show that by March 2020 Ascension will have passed the data of 50 million or more patients in 21 states to Google, with around 10 million files having already moved across, and no warning having been given to patients or doctors.
The documents also show that Ascension operatives expressed concerns about the way Google will use patients’ private health information, which the whistleblower maintains have yet to be resolved.
Annotations on the leaked documents also reportedly suggest that in the future Google might be able to sell or share the data with third parties or create patient profiles against which they can advertise healthcare products.
Following the WSJ report, both companies issued statements acknowledging the sensitive nature of the data in question but asserting that they are in compliance with the law. In a blog post, Google described the deal as a “business arrangement to help a provider with the latest technology, similar to the work we do with dozens of other healthcare providers,” which would be carried out “under strict privacy and security standards”.
The company has also said the data will not be used in any other project and cannot be combined with Google consumer data.
Financial details of the arrangement have not been disclosed.