Hospitals differ sharply in what patient data they give Google
In deals struck across the U.S., hospital systems appear to be adopting starkly different protocols for sharing personal health information with Google (GOOGL), fueling broad concerns about the ability of patients to control the use of their data.
In a controversial collaboration with the hospital chain Ascension, Google gained access to millions of patient records, including names and birthdates, so it could use its artificial intelligence tools to analyze the information. The arrangement has triggered a fact-finding review by federal regulators.
Two months ago, Google struck a similar partnership with Mayo Clinic that differed in one key respect: Executives with both organizations emphasized to a STAT reporter that any data accessed by Google for analysis would be anonymized.
And in another data-sharing partnership with the University of Chicago, Google and that hospital system also indicated patient information would be anonymized, but the organizations were later accused in a lawsuit of failing to strip identifiable details from doctor’s notes and remove date stamps of when patients checked in and out of the hospital.
Variations in the handling of patient information may stem from differences in privacy standards applied by these hospitals and the states in which they operate. But health information specialists and ethics experts told STAT that these inconsistencies also reflect the obsolescence of the 1996 federal privacy law known as HIPAA and an environment in which hospitals and tech companies have broad latitude to exchange data without the knowledge or consent of patients.
“It feels a little like the Wild West,” said Benjamin Moseley, an associate professor of operations research and machine learning at Carnegie Mellon University. “We have an opportunity to drastically improve the health care system by making decisions based on data. But if we want to take advantage of the data, we need to make sure we really are protecting peoples’ identities.”
Neither Google nor Ascension responded to STAT’s requests for comment. Both have issued statements asserting that their partnership complies with HIPAA and that patient data will be used to improve care.
Meanwhile, the British newspaper The Guardian on Thursday published an anonymous article by the whistleblower who disclosed details of the data collaboration to media outlets. “Over time I grew increasingly concerned about the privacy and security aspects of the deal,” the whistleblower wrote, adding: “Above all — why was the information being handed over in a form that had not been de-identified?” The whistleblower said patients should have been told how their data were being used and given a chance to opt in or opt out.
Over the past several years, Google has won contracts to provide its cloud storage, software products, and analytics services to a number of major health systems, including the University of Colorado, Stanford Medicine, the University of California, San Francisco, and Cleveland Clinic, among others.
It is far from alone in that respect. Microsoft, Amazon (AMZN), IBM, and other companies have also scored contracts with large hospitals, and some of their deals have involved the analysis of large amounts of patient data.
Dr. John Halamka, a professor of health care innovation at Harvard Medical School, said it is not unusual for hospitals to share identifiable patient information with certain vendors. He said hospitals often hire outside firms to audit such data partners to ensure they have robust security protocols and training programs for employees.
He said, however, that practices vary so much that some states like Massachusetts are seeking to establish criteria to certify which entities are trustworthy enough to securely handle health information. Some states enforce data protections that are more rigorous than HIPAA, while others are more relaxed.
“Our problem in the United States is that we have 50 different variations on privacy and consent,” Halamka said, adding that HIPAA needs to be updated to reflect modern data-sharing practices and increasing efforts to analyze information with artificial intelligence.
“Some say regulation is an impediment to data use,” he added. “I have a different view: Regulation is a road map for how to appropriately use data and ensure the data owners, users, and generators all understand the rules of the road.”
The increase in hospital partnerships with technology companies results from two converging trends. Many providers are moving more information to the cloud to cut the cost of server maintenance and leverage the security expertise of major technology companies. Many are also eager to access artificial intelligence tools that can help them analyze patient data to deliver more effective care and eliminate waste.
That latter effort is where things start to get sticky.
In the case of Google’s partnership with Ascension, both parties have said the analysis of the data will be used only to improve care for patients and that they have signed a business associate agreement to that effect. Under HIPAA, such agreements give hospitals latitude to share data with third parties as long as it is used to help the hospital carry out its health care functions, not for the benefit of the third party.
Robert Cook-Deegan, an ethics expert and professor at Arizona State University’s School for the Future of Innovation, said the language gives organizations like Google and Ascension too much control over the data, without forcing them to disclose their plans or motives to patients.
“I don’t see the transparency and I don’t see the credible process for representing the rights and interests of patients,” he said. “Google and Ascension are going to be driven by their financial interests.”
Google executives have made clear in recent years that they see health care as a huge business opportunity. Its ability to seize that opportunity depends heavily on its access to patient data that it can use to showcase its capabilities in artificial intelligence, where algorithms may help doctors improve screening for diseases, intervene earlier, and identify the most effective treatments.
Deegan and others said that while those efforts are positive — and may eventually result in major improvements in care — Google and hospitals must include patients in their decision-making if they want to achieve their goals.
“They need a process that says, ‘This isn’t just about the money,’” he said. “Right now they are dealing with the data from individuals and they don’t have anything in place that says, ‘Here’s what we’re doing and here’s why we’re doing it.’”