Project With Ascension Health System Raises Privacy Concerns
Three U.S. senators are demanding more answers from Catholic health system Ascension and Google over “Project Nightingale,” which is part of a controversial data-sharing and cloud migration initiative that has raised concerns about sharing patient information without explicit permission.
In a letter sent Monday to St. Louis-based Ascension, Sen. Bill Cassidy, M.D., R-La., and Democratic senators Elizabeth Warren of Massachusetts and Richard Blumenthal of Connecticut are demanding additional answers, including a complete list of patient-level information that Google received from Ascension and the exact number of health records that the company collected in Project Nightingale.
“It is critical that lawmakers receive comprehensive information about Project Nightingale, which serves as a case study of Google’s more extensive foray into electronic health records,” the senators write in their letter. “While improving the sharing, accessibility and searchability of health data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny.”
In addition to the letter to Ascension, the senators released Google’s response to a previous letter that they sent in November, asking for details about Nightingale and what information that company has collected.
One of the reasons why the senators sent the new letter this week to Ascension is that they claim Google’s answers did not satisfy their original inquiry into the project and what patient data may have been shared.
“Because Google’s response did not answer a number of our questions pertaining to Ascension’s involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients,” according to the letter sent to Ascension on Monday.
Spokesmen for Google and Ascension did not respond to requests for comment on Wednesday.
In November, The Wall Street Journal first reported on Nightingale, which is part of a larger initiative between Google and Ascension, a Catholic health system with more than 2,600 care facilities throughout the U.S., including 150 hospitals (see: Privacy Analysis: Google Accesses Patient Data on Millions).
Under the agreement, Ascension is migrating its on-premises data warehouse and analytics infrastructure to a Google cloud environment, using Google G productivity tools for Ascension employees to communicate and collaborate in real time, and implementing Google’s artificial intelligence and machine learning technologies to support improvements in clinical quality and patient safety.
As part of that arrangement, Ascension is providing Google access to the health information of millions of its patients in 20 states and the District of Columbia, according to the Journal.
This is where Nightingale comes into play. As part of the program, Ascension is reportedly sharing patient names, lab results, diagnoses, hospitalization records, health histories and dates of birth with about 150 Google employees. But neither patients nor physicians were informed that the company was collecting the data under Project Nightingale, according to the Journal report.
In response to the November letter from Cassidy, Warren and Blumenthal, Dr. David Feinberg, the head of Google Health, notes that the company has complied with federal laws and regulations regarding patient privacy.
“Google’s work with Ascension is designed to adhere to industrywide regulations, including HIPAA,” Feinberg says in his Dec. 6 response to the Senators’ letter.
In addition, Feinberg notes that only a limited number of Google employees have access to patient data: “Only a limited group of Google employees has access to customer data. Further, Google employees’ access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.”
In response, the three senators note in Monday’s letter that they still want more specific answers to their questions, including whether patients were ever notified and could opt out of the process, and if there’s been any breaches of the data.
In November, Cassidy and Sen. Jacky Rosen, D-Nev., introduced a bill that aims to protect the privacy of consumer health data collected on wearable devices, such as smartwatches and fitness trackers, in response to Google’s Project Nightingale and its acquisition of Fitbit (see: Bill Aims to Fill Consumer Health Device Data Privacy ‘Gap’).
There has been non action on the Cassidy and Rosen bill since it was introduced in November.
Also in November, the U.S. House Energy and Commerce Committee announced that it would investigate what data was shared between Google and Ascension.
The U.S. Department of Health and Human Services is also investigating the Nightingale project but an agency spokesman declined to comment on the letters sent from the Senators this week, according to the Wall Street Journal.
Managing Editor Scott Ferguson contributed to this report.