Feinberg defends Google’s patient data practices with Ascension
David Feinberg, MD, head of Google Health, contends that the tech giant’s partnership with St. Louis-based healthcare provider Ascension complies with regulations on the handling patient data.
Speaking at last week’s StartUp Health Festival in San Francisco, Feinberg told the conference that he’s “super proud” of Google’s work with Ascension “despite what they say in the newspaper”—a reference to the Wall Street Journal, which has raised concerns about the ways Google is collecting and analyzing the health information of millions of Ascension’s patients.
“Ascension chose us as a cloud provider for their records,” said Feinberg. “In our cloud services, the information is encrypted in transit. It’s encrypted at rest. We have no access to the information. I can’t tell you how many medical records there are because we actually charge for storage space. Think of it as a warehouse. The only one that has the key to that record is Ascension.”
Feinberg added that “the press has made this into something that it’s not.”
However, a Nov. 11, 2019, WSJ article detailed Project Nightingale, a business partnership with Ascension that began in secret last year. The newspaper article charged that the tech giant is “amassing health records from Ascension facilities in 21 states” for millions of Americans and that patients were not informed.
“Neither patients nor doctors have been notified,” according to the WSJ. “At least 150 Google employees already have access to much of the data on tens of millions of patients.”
Nonetheless, Feinberg insists that Google’s dealings with Ascension are fully compliant with HIPAA and includes strong security and privacy measures for protecting patient records.
“There may be times where Google employees are exposed to personal health information,” Feinberg told the StartUp Health Festival. “Those Google folks are trained in HIPAA. It’s through a business associate agreement. Ascension has 600 business associate agreements.”
Still, according to the WSJ, some Ascension employees have raised questions about the methods by which the data is being collected and shared “both from a technological and ethical perspective.”
But, in a January 11 blog, Ascension’s Chief Strategy and Innovations Officer Eduardo Conrado attempted to “set the record straight” on what is being done with Google to protect patient health information.
“Our privacy and data security practices are consistent with established HIPAA requirements, and we will continue to ensure that these are followed,” wrote Conrado. “In short, our work with Google Health has adhered to the same standards of data privacy and security oversight we have used in our work over many years with numerous healthcare partners, including EHR, registry, payer and analytics vendors, as well as state and federal agencies.”
Conrado noted that Ascension’s work with Google “in the piloting of a searchable, cloud-based longitudinal clinical record” falls under a business associate agreement between the two organizations.
“The clinical data shared with Google Health to pilot this application is protected by a series of layered security measures, including encryption, audit trails and limited permissions for who can access this data, all of which is controlled by Ascension,” he added. “Clinical information remains in Ascension’s private cloud environment, which is controlled, logged and monitored by Ascension.”
When it comes to protected health information, Conrado concluded that the “PHI available to the Ascension and Google Health EHR Search pilot teams is limited to a subset of Ascension patients” and that “the number of team members who access PHI, and the amount of that data that any team member accesses, is limited to what is necessary to complete their work.”
However, a January 11 WSJ article reported that—following the Journal’s story last November—Ascension subsequently “narrowed network access among its own staff and some at Google to information about Project Nightingale, people familiar with the matter say, adding that Ascension hasn’t re-examined its Google ties.”
The January 11 WSJ piece also noted that “federal investigators in the Department of Health and Human Services’ Office of Civil Rights in recent weeks began interviewing people close to Project Nightingale as part of an inquiry into what regulators called the ‘mass collection of individuals’ medical records’ and whether security or privacy were sacrificed.”