Menu

When Google Meets HIPAA: Some Privacy and Regulatory Issues as Silicon Valley Enters the Health Care Space

Cybersecurity and Privacy   |   Health Care   |   November 15, 2019
Download   
Share Page

On November 12, 2019, the U.S. Department of Health and Human Services' Office for Civil Rights announced that it would be examining Google’s collaboration with Ascension, a nonprofit health care system that operates approximately 2,600 facilities, including hospitals and nursing homes, in 21 states and the District of Columbia. Dubbed “Project Nightingale,” Google’s efforts for Ascension reportedly include the collection and organization of tens of millions of patient medical records with the aim of using artificial intelligence and machine learning to improve patient care. The Office for Civil Rights will presumably be focused on whether Google and Ascension’s arrangement complies with the federal Health Insurance Portability and Accountability Act (HIPAA) and related regulations.

Google and Ascension have both stated that they are in compliance with HIPAA, and Google has told the press that it is acting pursuant to a “business associate agreement.” Under that agreement, Google has reportedly argued, it can use patient data to build treatment tools for Ascension’s use, and patients need not be notified. This view is not unreasonable, as HIPAA allows health care providers to share protected health information (PHI) with third-party service providers to execute daily functions and activities related to a treatment, payment, and health care operations. Examples of these third-party service providers, known as “business associates” under HIPAA, include claims processors, accounting firms, and utilization consultants. And with respect to contemporary, technological service providers, a prime example of a 21st century business associate is a cloud service provider (such as Google), which can offer a health care provider an array of digital tools to potentially enhance patient outcomes and safety.

Under HIPAA, a health care provider’s “notice of privacy practices” must be made available to patients to inform them about how the health care provider will use and disclose PHI. But if patients have received a notice (or at least had a notice made available to them) that includes provisions on how PHI will be shared with business associates, patients will generally not receive additional notifications when their PHI is shared with third parties such as claims processors, accountants, and other business associates. The analysis should not change when a cloud service provider is hosting and analyzing patient data to carry out a provider’s daily functions related to treatment, payment, and health care operations.

In this particular case, Google may not have to be especially concerned about other privacy laws. Because Ascension is a nonprofit, California’s new sweeping privacy law, the California Consumer Protection Act (CCPA), likely does not apply. And even if it did — as it may in future ventures that Google may pursue with for-profit health care providers — then the CCPA’s exemption for HIPAA would likely provide some shelter for both Ascension and Google. Section 1798.145(c)(1) of the California Civil Code exempts PHI collected by a "covered entity" or "business associate" as those terms are defined in HIPAA. HIPAA, in turn, defines PHI as information relating to the physical or mental health or condition of an individual, or the provision of or payment for health care to an individual, for which there is a reasonable basis to believe it can be used to identify the individual. The fact that HIPAA applies is therefore likely to reduce the impact of California state law on these sort of arrangements.

It is also important to note that while the privacy concerns driving the regulatory scrutiny and press coverage are appropriate, so far much of the discussion glosses over the potential benefits of Project Nightingale. Indeed, Google’s efforts could be seen as attempts to “[i]mprove the health and well-being of individuals and communities through the use of technology and health information that is accessible when and where it matters most.” That mission statement, which sounds very similar to the goals articulated by Google and Ascension, is actually from the Office of the National Coordinator for Health Information Technology, the U.S. entity “charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information.”

Project Nightingale demonstrates how health information technology might be able to leverage artificial intelligence, machine learning, and other emerging technologies to deliver more efficient and effective patient care. Furthermore, many health care providers have been shifting their IT infrastructures to off-site cloud providers (such as Google, Amazon, and Microsoft), thereby removing the need for on-site data centers and, ideally, optimizing the way data is stored, protected, and analyzed. With respect to data analysis, one of Project Nightingale’s goals is to allow Google’s G Suite productivity tools to “enhance Ascension employees’ ability to communicate and collaborate securely in real time, supporting interdisciplinary care and operations teams across Ascension sites of care.”

While the current focus in the media is understandably on privacy concerns, it is possible that, as time progresses, the public dialogue will start to focus on how innovative collaborations, such as Project Nightingale, might be able to improve collaboration among health care practitioners, enhance patient outcomes and safety, and reduce the costs of care associated with information inefficiencies in today’s health care system. Privacy concerns are real and valid in this area, and new regulatory concerns may emerge, but we should also remain open to the possibility that Silicon Valley can help improve health care.


©2019 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.