Big tech’s access to medical records
Recent high-profile news articles have drawn public attention to large technology companies’ access to medical information. As a result, health care entities need to prepare for questions about this topic and increased scrutiny of arrangements that permit such access.
In November 2019, The New York Times published an article describing an arrangement between Ascension Health and Google, known as “Project Nightingale,” in which Google was provided access to patient records in the course of providing certain services as a business associate to Ascension Health. Both Ascension Health and Google asserted the arrangement complied with HIPAA and, specifically, that patient information was not used by Google for any purpose other than the provision of services to Ascension Health and not accessible to the consumer-facing side of Google’s services. Nevertheless, privacy concerns were raised, and the Department of Health and Human Services quickly announced that it had opened an inquiry into this arrangement.
In a subsequent article (subscription required) in The Wall Street Journal about Project Nightingale, the arrangement was described as “the biggest effort yet from a U.S. technology company to enter the health-care industry through the handling of patients’ sensitive medical data.” It was reported that Congressman Mark Warner (D-VA) was seeking to halt Project Nightingale pending an investigation and had stated that “[a]llowing already-dominant technology platforms to leverage their hold over consumer data to gain entrenched positions in the health sector is a worrying prospect.”
Numerous articles have followed, often raising concerns with these arrangements and questioning the propriety of technology company access to medical information. The article “Inside Google’s Quest for Millions of Medical Records” (subscription required) appearing in The Wall Street Journal in January 2020, warns that “[m]edical information is perhaps the last bounty of personal data yet to be scooped up by technology companies. The health data-gathering efforts of other tech giants such as Amazon and [IBM] face skepticism from physician and patient advocates. But Google’s push, in particular, has set off alarm bells in the industry, including over privacy concerns.”
Another article appearing in The Wall Street Journal within the same month, titled “Hospitals Give Tech Giants Access to Detailed Medical Records,” (subscription required) highlights examples of arrangements similar to Project Nightingale entered into by Microsoft, IBM and Amazon. The arrangements all include research or technology development activities on behalf of the health care entities. While the article states that “[t]here is no indication of wrongdoing in the deals,” it also claims that these arrangements have “raised concerns among lawmakers, patients and doctors about privacy” and that “privacy laws enabling companies to swap patient data have positioned hospitals as a primary arbiter of how such sensitive data is shared.”
As demonstrated, this issue remains a hot news topic. Hospitals and health care entities should be prepared for questions from the media, the public and potentially lawmakers regarding what access big technology companies have to their patients’ medical information. With the publicity of these arrangements, it also may be more likely that a patient requests a specific restriction, such as “don’t give my information to Google.” In this case, a covered entity should be careful to follow the HIPAA rules on restriction requests when responding.
Further, these articles correctly note that large technology companies are rapidly entering health information technology services. When entering into business associate arrangements with these companies, it should be expected that such arrangements may face additional scrutiny. Hospitals and health care entities should consider implementing data governance policies that provide oversight of these arrangements to ensure applicable rules are followed and assist with managing the evolution of big technology’s involvement with medical information.
This is for informational purposes only. It is not intended to be legal advice and does not create or imply an attorney-client relationship.Download PDF