[mercwear]

The article says that it might be: "According to the whistleblower, the security fears raised at that meeting, including concerns that the transfer may be in breach of federal HIPAA rules on data privacy, have so far gone unanswered by Google."

That said, most people do not understand how HIPAA works (I am in no way saying you are one of these people). Unless you are a healthcare provider (think doctor) or a business that is supporting those providers (think 3rd party tools built specifically for managing healthcare records) it's pretty difficult to have a legitimate HIPAA complaint made against you.

[SEJeff]

I am indeed someone who doesn’t understand how HIPAA works. I have seen instances of healthcare professionals getting jail time for disclosing celebrity health records however. How is google able to legally get access to these records? I suspect they’re not and if so, someone should be held criminally liable for this.

If google is able to get these, what’s stopping anyone else?

[vechagup]

If you're a covered entity (CE) under HIPAA, you are allowed to have business associates (BAs). BAs are other parties that the CE exchanges PHI with in order to provide services (billing companies, cloud storage providers, etc.). According to the HITECH Act, BAs are bound by the provisions of HIPAA.

Per their press release (https://cloud.google.com/blog/topics/inside-google-cloud/our...), Google is playing the role of a BA as a part of this deal. They have signed a business associate agreement (BAA), as HIPAA requires. This agreement will have defined the permitted uses for the PHI that Ascension is transmitting to Google.

Basically this all sounds utterly ordinary. It's 2019 and even healthcare companies want to be in The Cloud (and especially want to be associated with AI and ML). My last company stored lots PHI in AWS. AWS signed a BAA with us. Now, if someone at Google with access to this PHI misuses it (e.g., accesses it for an invalid reason or sells it on the black market), then they could be in violation of HIPAA and face penalties. But the mere fact that a covered entity is transferring data to a business associate in no way suggests a HIPAA violation its own.

(Disclosure: I work at Google, but know nothing about this project.)

[dragonwriter]

> How is google able to legally get access to these records

As a Business Associate of a health care provider organization, with an agreement in place binding them to the same rules for that data the principal they serve would have, which is enforceable not only by the principal, and by patients, but also directly against Google by the government.

> If google is able to get these, what’s stopping anyone else?

Nothing is stopping anyone else from offering the kinds of services to health care providers and insurers that involve patient data under a BAA; most health care providers and insurers have numerous Business Associates performing various functions involving patient data, including, in many cases, large tech firms like Microsoft, Amazon, and, sure, Google. If anything, Google is behind in this space in terms of volume because of Amazon, Microsoft, and some more specialized forms in the healthcare space have stronger enterprise sales positions in general, and, especially for Microsoft and some of the more specialized forms, more established relations with firms in the space that make it a lower “activation energy” to engage those firms as BAs.

[Nasrudith]

Essentially HIPAA is /the/ responsibility of the healthcare provider - not Google. I am not sure about the transferrance and the laws there but not giving out is the less famous provider's job. They operate on an unavoidable consequences to a designated entity for enforcement - no excuses or buck passing they signed off on it sort of thing.

It doesn't preclude other crimes whether from hackers but doesn't technically guarantee them in Google's part. Technically the provider could have just given sensitive information like complete idiots because they were asked.

[papln]

> I suspect they’re not

Why not?

[taborj]

I, too, am familiar with (and bound by) HIPAA. I agree this is likely a violation.

Having said that, my job in the healthcare IT world is building interfaces, i.e. facilitating the transfer of health data from one system to another. Most likely what's going on here is Google and Ascension have a project together, and part of that project is either an interface or a data dump from Ascension to Google for the purposes stated in the article. I haven't read all the information, but generally the data will be "de-identified", which some interpret as sufficient to avoid HIPAA violations.

Neither company is small or ignorant; they both had their lawyers look at the contract and they signed off on it. So either the lawyers at both companies are mistaken or mislead, or somewhere after the initial scoping the scope changed (which, btw, happens all the time) and nobody updated legal or felt the need to update management or raise a concern

And that's concerning, regardless of which option it is. Either the legal teams at both companies are ill-informed or outright ignorant (perhaps intentionally), or there are no checks -- and no responsible project managers -- in place to prevent this from occurring. Somewhere along the line, someone should have suggested that this was perhaps not cool, and taken the issue up the chain of command. Most healthcare companies have a well established process in place for that, and I can't believe either of these would be different in that respect.

[JohnFen]

> I haven't read all the information, but generally the data will be "de-identified"

You should read what both Google and Ascension has said about this -- the data is intentionally not being de-identified, although it's not clear as to what the rationale for that decision is.

Even if it were, though, de-identification isn't actually very effective, particularly if you have easy access to a mountain of other personal data (such as Google has).

> Neither company is small or ignorant; they both had their lawyers look at the contract and they signed off on it.

I'm quite certain that, at worst, both companies think that they can get away with this legally. Even if it's entirely legal, though, that in no way means it's right or acceptable.