traffic_analyzer/DigitalVision V

Senators Press Ascension on Data Sharing Agreement with Google

Calling Google’s responses to their inquiry incomplete, a group of senators are asking Ascension to shed light on its data sharing agreement with Google in light of patient privacy concerns.

Sens. Bill Cassidy, MD, R-Louisiana, Elizabeth Warren, D-Massachusetts, and Richard Blumenthal, D-Connecticut, are pressing Ascension on its data sharing agreement it holds with Google, given the tech giant’s incomplete answers to its initial inquiry into their partnership.

Media reports revealed the second largest health system in the US had partnered with Google on several patient care initiatives. The Wall Street Journal reported “Project Nightingale” would allow the tech giant to amass the health records of Ascension patients across 21 states without their consent.

However, both parties have stressed that their partnership follows HIPAA-compliant rules for business associates. Under HIPAA, covered entities are permitted to share data with business partners, and the business associate is barred from using data for “the business associate’s independent use or purposes.”

Google and Ascension both reported they have a contract in place that specifically outlines the manner in which the data is allowed to be used. Despite those assurances, the partnership inadvertently sparked a privacy debate across the country.

Project Nightingale has also led to several investigations, including an ongoing inquiry by the Office for Civil Rights.

The latest inquiry targets Ascension, following its investigation into Google. The Senators say the tech giant “did not provide much of the information requested.”

“Because Google's response did not answer a number of our questions pertaining to Ascension's involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients,” the senators wrote.

“It’s critical lawmakers receive comprehensive information about Project Nightingale, which serves as a case study of Google's more extensive foray into electronic health records," they continued. "While improving the sharing, accessibility, and searchability of health data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny."

Ascension is being asked to shed light on details Google failed to provide, including a full list of patient-level information Google is receiving from the health system and the exact number of health records received by the company. Responses must be received by March 23.

Google’s responses to the inquiry repeated that the partnership is on the level, with reports creating a “great deal of speculation” about the partnership and compliance.

The tech giant again stressed the partnership is covered by a business associate agreement, as Google was tasked to modernize Ascension’s data infrastructure, implement G-suite tools, the develop tools to improve clinical quality and patient safety.

Google works with “dozens of healthcare providers” that use Google’s tech to help organize and secure healthcare data. Under its agreement with Ascension, the EHR search pilot migrates patient information from electronic medical records to Ascension’s secure Google cloud storage under a business associate agreement.

“Access to PHI is provided to designated Google employees for purposes of providing EHR search-related services to Ascension,” Google wrote. “Ascension is the initial health system involved in the EHR search pilot program. EHR search will enable doctors to access a unified view of patient data that is typically spread across multiple EHR systems.”

“The EHR search tool being used in the pilot program allows doctors and nurses to more quickly and effectively query a medical record using words and abbreviations commonly used by health care providers and to receive results in a useful format from records stored in different types of EHR systems,” they added.

Google also stressed the onus of notifying patients about the agreement fall upon the covered entity, in this case Ascension. Further, they stressed that patients aren’t allowed to opt-out of the EHR, but the BAA ensures Google is only allowed to receive the “minimum necessary information needed to provide services to the health system.”

Lastly, Google stressed that the data is not being used to target individuals with advertisements or to identify services for specific individuals. And patient data is only accessible through a strictly controlled environment with audit trails.

“To keep data private and secure, Google logically isolates Ascension’s data from that of other customers and users,” Google wrote. “Approvals for roles granting access to Ascension data are managed by workflow tools that maintain audit records of changes.”

“These tools control both the modification of authorization settings and the approval process to ensure consistent application of the approval policies,” they added. “The Google systems and infrastructure that support the cloud-based services being provided to Ascension are subject to periodic security testing and audits against industry-standard security frameworks such as ISO 27001.”

Next Steps

Dig Deeper on HIPAA compliance and regulation