Who should see a person’s medical records? Easy. Their doctors and themselves. And whomever else is either statutorily entitled or whom you say can see them. That alone opens lots of possibilities for how one’s data can get out, even with all of the Health Insurance Portability and Accountability Act (HIPAA) regulations on privacy.
Cloud computing, the aggregation of data required by artificial intelligence, and the scale of some health care organizations combine to expand the potential for loss of an individual’s control over their data. A case in point: a deal between Google and the Ascension group under which tens of millions of people’s health care data will end up in Google’s cloud. Ascencion is a large, non-profit health care organization with 2,600 facilities. The Wall Street Journal reports the arrangement has caught the attention of Health and Human Services’ Office of Human Rights, which is investigating.
It’s the kind of arrangement that, correctly, does get the attention of feds concerned with HIPAA compliance and privacy generally.
According to the published stories, Google will add artificial intelligence to the data such that when a provider types in a patient’s name, all sorts of treatment options and prognostications will spit out.
Choosing Google for aggregation of storage that was scattered across many data centers is itself unremarkable. Organizations in the federal, non-profit (like Ascension) and commercial domains are all aggregating their data and applications in one commercial cloud or the other, and using the value added data services the companies provide. The understanding with any cloud provider is that your own stuff is simply un-accessible by anyone else, including the cloud employees. Like a bank account.
Ascension is not the only one taking this route. The Defense Department, Veterans Affairs, and the Coast Guard have all chosen the Cerner Corporation’s electronic health record. They’re in various states of development and rollout of what will eventually be a uniform record. Cerner’s is an online application with customers’ data stored in its own cloud. The business arrangement and the objective don’t seem to match what the non-profit Ascension is doing.
The two questions for Google are, first, whether it will have access to the Ascension data as Google for purposes of independent research. That wouldn’t be illegal with the proper personally identifiable data safeguards in place. And second, whether Google will somehow monetize the data with advertising, as it does with gmail and other users. The company says it won’t.
Federal agencies such as the National Institutes of Health regularly conduct research on large medical data sets. They use elaborate technical approaches — which they continually test and update — to ensure anonymity of the data. They understand a given record has dual uses. Doctors working with specific patients, say in clinical trials, represent one type of use case. A fraud detector working for a payer like the Centers for Medicare and Medicaid Services represents another. A data scientist or researcher looking for medical insight represents still another. Some need the personally identifiable information, some have no right to it.
Google and some of the other Silicon Valley tech giants (SVTG) don’t have a great recent record when it comes to data people thought was private. Google is under a consent decree with the Federal Trade Commission after agreeing to a $170 million fine for collecting PII on children via YouTube.
Medical information holds a special sensitivity both in people’s minds and because of HIPAA. Even so, millions of people voluntarily post details of their physical and psychological maladies on Facebook for admiring by their “friends.” But that’s their choice. Facebook users aren’t its customers, they’re its raw materials supply chain. In the Ascension case, people who generated the data for the health care provider didn’t have any say over whether it ended up with Google.
When hooking up with cloud providers, companies and agencies spend a great deal of time on the service level agreements. Cybersecurity and privacy protections are among the baseline requirements. When you pay, you’ve got the right and responsibility to negotiate hard for the levels of safeguard consistent with the sensitivity of your data and applications. The Journal reports that Ascension isn’t paying Google for the arrangement. That sounds unusual, but maybe Google sees the effort as a loss leader to develop a model it can use with other health care organizations.
At first glance it all looks kosher. But federal regulators are wise to keep an eye on it. For agencies writ large, the arrangement provides a good reminder of how to deal with cloud providers and of the fundamental responsibility of government for dealing with data in the right way.