>What about patient data? All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage. ... To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.
No you don’t, there are fines if you are found in violation but no one is checking on an ongoing basis. Specific entities may privately pay for audits or do so as part of certifications (HiTrust, etc) but that’s not required.
The dept of HHS requires any organization with HIPAA business associate status to regularly undergo audits.
Can you fly under the radar and potentially get away with not doing it? Of course, anything is possible. Could a multibillion dollar internet organization beholden to shareholders and under public scrutiny get away with it? Not likely.
When there's an obvious breach, hopefully. How would we even know if Google were abusing this data though? Does anyone have access to it besides Google? Are we literally asking Google to regulate itself with this data?
EDIT: I guess I don't understand. Once we give Google the sensitive information, how do we have any way of knowing what they do with it? I'm guessing an audit on all of Google's data is out of the question.
The point of this article is that a whistleblower is saying "they're not controlling access properly".
While the Grauniad is trying to spin it to sound worse, the whole point is Google are providing data processing services to a valid HIPAA processor via Google Cloud, not that they nefariously bought the data to integrate it with the search results.
Much like health data stored on AWS with a dedicated internal project team could be accessed by "Amazon" staff. It's kinda the point, the google staff have been brought in to help manage the data.
Your point is valid, but I think there was a mis-read or mis-statement. The parent comment probably should have addressed the difficulty of enforcing such provisions.
> Does anybody enforce this or do we just take Google at their word?
Yes, the DHHS Office of Civil Rights enforces HIPAA Privacy and Security rules. That enforcement is reactive of there is no independent regular compliance certification or monitoring required, however, which is a weakness, but the fact that detection of violation can lead to personal as well as institutional penalties, and that those penalties are criminal as well as civil, means it's not a risk that decision-makers tend to be willing to take on just because it would (so long as undetected) provide a business opportunity.
They have the job of doing so for the whole healthcare industry; and certainly have the authority. Capability is a question I'm less comfortable answering, but I would say that I see no evidence that they have a Google-specific problem in that regard. There is definitely a lot that could be done to improve enforcement capacity in the health data privacy and security space, and that's definitely something that should be pursued independently of whether some firms choose Google as BA.
The article says that it might be: "According to the whistleblower, the security fears raised at that meeting, including concerns that the transfer may be in breach of federal HIPAA rules on data privacy, have so far gone unanswered by Google."
That said, most people do not understand how HIPAA works (I am in no way saying you are one of these people). Unless you are a healthcare provider (think doctor) or a business that is supporting those providers (think 3rd party tools built specifically for managing healthcare records) it's pretty difficult to have a legitimate HIPAA complaint made against you.
I am indeed someone who doesn’t understand how HIPAA works. I have seen instances of healthcare professionals getting jail time for disclosing celebrity health records however. How is google able to legally get access to these records? I suspect they’re not and if so, someone should be held criminally liable for this.
If google is able to get these, what’s stopping anyone else?
If you're a covered entity (CE) under HIPAA, you are allowed to have business associates (BAs). BAs are other parties that the CE exchanges PHI with in order to provide services (billing companies, cloud storage providers, etc.). According to the HITECH Act, BAs are bound by the provisions of HIPAA.
Per their press release (https://cloud.google.com/blog/topics/inside-google-cloud/our...), Google is playing the role of a BA as a part of this deal. They have signed a business associate agreement (BAA), as HIPAA requires. This agreement will have defined the permitted uses for the PHI that Ascension is transmitting to Google.
Basically this all sounds utterly ordinary. It's 2019 and even healthcare companies want to be in The Cloud (and especially want to be associated with AI and ML). My last company stored lots PHI in AWS. AWS signed a BAA with us. Now, if someone at Google with access to this PHI misuses it (e.g., accesses it for an invalid reason or sells it on the black market), then they could be in violation of HIPAA and face penalties. But the mere fact that a covered entity is transferring data to a business associate in no way suggests a HIPAA violation its own.
(Disclosure: I work at Google, but know nothing about this project.)
> How is google able to legally get access to these records
As a Business Associate of a health care provider organization, with an agreement in place binding them to the same rules for that data the principal they serve would have, which is enforceable not only by the principal, and by patients, but also directly against Google by the government.
> If google is able to get these, what’s stopping anyone else?
Nothing is stopping anyone else from offering the kinds of services to health care providers and insurers that involve patient data under a BAA; most health care providers and insurers have numerous Business Associates performing various functions involving patient data, including, in many cases, large tech firms like Microsoft, Amazon, and, sure, Google. If anything, Google is behind in this space in terms of volume because of Amazon, Microsoft, and some more specialized forms in the healthcare space have stronger enterprise sales positions in general, and, especially for Microsoft and some of the more specialized forms, more established relations with firms in the space that make it a lower “activation energy” to engage those firms as BAs.
Essentially HIPAA is /the/ responsibility of the healthcare provider - not Google. I am not sure about the transferrance and the laws there but not giving out is the less famous provider's job. They operate on an unavoidable consequences to a designated entity for enforcement - no excuses or buck passing they signed off on it sort of thing.
It doesn't preclude other crimes whether from hackers but doesn't technically guarantee them in Google's part. Technically the provider could have just given sensitive information like complete idiots because they were asked.
I, too, am familiar with (and bound by) HIPAA. I agree this is likely a violation.
Having said that, my job in the healthcare IT world is building interfaces, i.e. facilitating the transfer of health data from one system to another. Most likely what's going on here is Google and Ascension have a project together, and part of that project is either an interface or a data dump from Ascension to Google for the purposes stated in the article. I haven't read all the information, but generally the data will be "de-identified", which some interpret as sufficient to avoid HIPAA violations.
Neither company is small or ignorant; they both had their lawyers look at the contract and they signed off on it. So either the lawyers at both companies are mistaken or mislead, or somewhere after the initial scoping the scope changed (which, btw, happens all the time) and nobody updated legal or felt the need to update management or raise a concern
And that's concerning, regardless of which option it is. Either the legal teams at both companies are ill-informed or outright ignorant (perhaps intentionally), or there are no checks -- and no responsible project managers -- in place to prevent this from occurring. Somewhere along the line, someone should have suggested that this was perhaps not cool, and taken the issue up the chain of command. Most healthcare companies have a well established process in place for that, and I can't believe either of these would be different in that respect.
> I haven't read all the information, but generally the data will be "de-identified"
You should read what both Google and Ascension has said about this -- the data is intentionally not being de-identified, although it's not clear as to what the rationale for that decision is.
Even if it were, though, de-identification isn't actually very effective, particularly if you have easy access to a mountain of other personal data (such as Google has).
> Neither company is small or ignorant; they both had their lawyers look at the contract and they signed off on it.
I'm quite certain that, at worst, both companies think that they can get away with this legally. Even if it's entirely legal, though, that in no way means it's right or acceptable.
Not because I think what Google did breaks HIPAA laws - there are many sub-threads below that can explain that better than I that this doesn't violate HIPAA - but rather the question helps highlight where we should truly be upset.
What Google did was legal; because of that, we should be upset that the government / regulatory bodies created an environment such that this was legal. Rallying against a publicly traded company of 100's of 1000's of employees for doing something "immoral" is not a productive use of your energy.
(The irony here is I usually am _against_ more regulation!)
It's a similar argument I made with the whole martin shkreli debacle: senators & congressmen/women got their picture day grilling him with the whole "how could you price gouge these poor, sick people?" But his consistent response was, essentially, the inverse: "How could you create an environment where this is totally 100% legal?"
I'm having trouble understanding how you feel this is immoral. You have a private healthcare system, and as such your data is already in the hands of numerous private companies. From the hospital itself, to various data processing partners that implement patient record systems, billing systems, image processing for various tests, lab companies and so on.
But suddenly this company, Google, makes it immoral? It seems to me that if you care this much about private companies having your data, you should switch to a publicly owned healthcare system.