Google’s Project Nightingale – Do No Harm
Privacy Plus+
Privacy, Technology and Perspective
Google’s Project Nightingale – Do No Harm. This week, the Wall Street Journal broke an explosive story that Google and non-profit hospital system Ascension have been running a secret initiative known as Project Nightingale, which has amassed the protected health information (“PHI”) of over 50 million Americans across 21 states. Project Nightingale is reported to have given Google access to and the ability to analyze PHI on large scale. A link to the story follows:
Since then, much has happened:
First, Google issued a statement confessing to its reported partnership with Ascension. It characterized Project Nightingale as providing Ascension “with technology that helps them to deliver better care to patients across the United States." A link to Google’s statement appears here:
https://cloud.google.com/blog/topics/inside-google-cloud/our-partnership-with-ascension
Several lawmakers then expressed concerns over patient privacy, including Senator Amy Klobuchar (D-Minn.), who along with Senator Lisa Murkowski (R-Alaska) has introduced legislation to expand health data protections. A link to Senator Klobuchar’s statement about Project Nightingale follows:
Then the Office for Civil Rights (“OCR”) for Department of Health and Human Services reportedly opened an investigation into whether Project Nightingale and Google’s mass access to and processing of PHI violates patient privacy rights under HIPAA.
Finally, the whistleblower who first disclosed the existence of Project Nightingale penned an op-ed in The Guardian, explaining his reasons for coming forward, and noting, among other things, “What was Google planning to do with the data they were being given access to? No-one seemed to know.” A link to the story follows:
As for whether or not Project Nightingale has already caused harm remains to be seen. Under HIPAA, hospitals (like Ascension) are allowed to share PHI with “business associates” without informing patients as long as the information is used to “help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes.” This exchange of PHI is governed by the contractual relationship between that hospital and the business associate and is usually covered by a Business Associate Agreement (“BAA”), which imposes certain restrictions and conditions with respect to its handling of PHI.
In its statement, Google says it has a BAA with Ascension. If the Ascension-Google BAA was appropriately compliant and Google itself complied with its terms by processing the PHI solely in furtherance of Ascension’s “health care functions,” then that should allay the concern that Google may have violated HIPAA by using the PHI for its own purposes (for example, to conduct independent research, or for profiling or marketing activities) – at least up to now.
Regardless, Big Tech’s deep incursions into medical records and the adoption of new technologies, e.g., health tracking apps, home DNA testing kits, and wearable technology devices, and the like, continue to raise privacy concerns. At the same time, hospitals are being challenged to deliver ever-improving patient outcomes and experiences for less cost. The challenge everyone faces is how to improve medical outcomes and costs while maintaining patient dignity.
As we have urged before: We believe that there must be a balance between patient dignity and AI prosperity. Allowing Big Tech to drive this effort makes us uneasy. For more on the subject as well as suggestions for a solution, you can review our previous post, entitled Patient Dignity and Artificial Intelligence (AI) Prosperity, at the link that follows:
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.