Federal inquiry opened into Google health data deal

Google’s partnership with Ascension, the nation’s largest nonprofit health system, is the subject of a federal inquiry, a senior official told The Hill Wednesday.

The Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” Roger Severino, the office’s director, said in a statement, referring to the federal law restricting the release of medical information.

The inquiry was first reported by The Wall Street Journal on Tuesday.

The project, codenamed “Nightingale,” received little attention until the Journal publicly reported details of it for the first time on Monday.

The backlash: The partnership to collect and analyze health data received swift criticism from lawmakers and privacy advocates concerned about sensitive patient information.

One significant concern raised was whether the deal violated the Health Insurance Portability and Accountability Act and its rules on handling health care data, which the OCR is now investigating.

In a press release posted hours after the Journal report, Google said Ascension was using Google’s cloud services to “securely manage their patient data, under strict privacy and security standards,” including HIPAA.

Google pointed The Hill to a Q&A on their site where the tech giant said “we are happy to cooperate with any questions about the project.”

Google’s work to help Ascension, the nation’s largest nonprofit health system, collect and analyze data on millions of patients is coming under intense scrutiny from lawmakers, privacy advocates and regulators.

Experts who spoke to The Hill agreed that the Google-Ascension partnership does not violate HIPAA, the 1996 rule that regulates health data privacy.

“There are many areas in which the HIPAA privacy rules give the covered entities wide leeway to use information,” Mark Rothstein, a public health law scholar at the University of Louisville, said.

Google’s cloud services could be interpreted as “quality improvement,” one of HIPAA’s permitted uses for business associates, he explained.

“Within the letter of the law it appears to be meeting all of HIPAA requirements,” said Margaret Riley, a law professor at the University of Virginia who focuses on health law.

Where Congress comes in: Sens. Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska) in June introduced the Protecting Personal Health Data Act, which gives consumers more control over their health data.

“This collaboration isn’t the only one that raises serious privacy concerns,” Klobuchar, who is running for president, told The Hill in a statement about Google’s work. She also cited concerns with technology like smartwatches and home DNA kits that also collect personal data.

The House is also considering new health data policy rules, and a House Energy and Commerce Committee spokesperson said that “meaningful protections and consumer control for health data not covered by HIPAA” will be included in upcoming comprehensive privacy legislation.