What Google Isn’t Saying About Your Health Records


Google’s semi-secret deal with Ascension is testing the limits of HIPAA as society grapples with the future impact of machine learning and artificial intelligence.

Glenn Cohen points out that HIPAA may not be keeping up with our methods of consent by patients and society on the ways personal data is used. Is prior consent, particularly consent from vulnerable patients seeking care, a good way to regulate secret commercial deals with their caregivers? The answer to a question is strongly influenced by how you ask the questions.

Here’s a short review of this current and related scandals. It also links to a recent deal between Mayo and Google, also semi-secret. A scholarly investigative journalism report of the Google AI scandal with London NHS Foundation Trust in 2016 might be summarized as: the core issue is not consent; it is a conflict of interest at the very foundation of the information governance process. The foxes are guarding the patient data henhouse. When the secrecy of a deal is broken, a scandal ensues.

The parts of the Google-Ascension deal that are secret are likely designed to misdirect attention away from the intellectual property value of the business relationship.

HIPAA grants the hospital, the “covered entity,” the right to delegate certain functions to “business associates” that are presumed to be outsourced services that might otherwise be done by the covered entity itself. A good example of that would be a transcription service that converts a doctor’s dictation into text and just sends it back to the hospital. The assumption there, and core to the provider-centered HIPAA privacy model, is that the transcription service does not use the content of the patient record they are transcribing for their own purposes, such as selling the data to a third party. Sounds reasonable, but HIPAA is ancient in modern network and artificial intelligence computing terms.

Over more than two decades, the practices of business associates justified under HIPAA have drifted to seriously undermine the privacy interests of individual patients as well as society as a whole. One drift, about ten years ago, treats health information exchanges as HIPAA business associates. Now, a business associate can use the patient data in a way that was not entirely under the control of the covered entity or obvious to the patient. A recent example is the dispute between Surescripts as the HIPAA business associate and Amazon PillPack pharmacy as a HIPAA covered entity. The privacy issue in this case is that the patient has an open consented relationship with PillPack as their pharmacy but has no knowledge of how or why Surescripts is using their data for their own business reasons. Surescripts business practices are now under federal investigation, but their use of patient data without consent continues and the privacy aspect of this scandal will play out in the courts.

The next stage of HIPAA drift is machine learning for the benefit of the business associate, Google, in this case. This benefit might be monetized by selling trade secret medical advice to various hospitals and their patients. The privacy impact in this case is not to the individual patient of an Ascension hospital but to society as a whole. Until now, medicine has not been licensed as a trade secret. The advent of proprietary silos of medical science branded Mayo or Google is new and its impact on health care is hard to predict. What we do know is that patients, when asked, are reluctant to let their personal data to be used for profit. Ascension is a nonprofit entity but Google is not. HIPAA is now being used to avoid informed consent for corporate data uses well beyond the patient’s relationship with their Ascension hospital. The public misdirection is driven by conflict of interest since all parties to the secret deal benefit and neither physicians nor patients are consulted.

The Ascension-Google deal bundles simple HIPAA business associate services like cloud computer hosting with less obvious machine learning technology that Google can sell outside of the Ascension relationship. Is Ascension getting a discount on the cloud hosting because of their contribution of patient data to Google’s future business? How much will Google charge a non-Ascension doctor or me as a patient for their medical record summary service? Will Google merge the machine learning from Ascension patients with the machine learning from Mayo patients? One thing seems sure, we’re expected to trust Google to not be evil because we’re certainly not being asked.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. This post originally appeared on Bill of Health here.