|
|
|
|
|
|
by taborj
2412 days ago
|
|
|
I, too, am familiar with (and bound by) HIPAA. I agree this is likely a violation. Having said that, my job in the healthcare IT world is building interfaces, i.e. facilitating the transfer of health data from one system to another. Most likely what's going on here is Google and Ascension have a project together, and part of that project is either an interface or a data dump from Ascension to Google for the purposes stated in the article. I haven't read all the information, but generally the data will be "de-identified", which some interpret as sufficient to avoid HIPAA violations. Neither company is small or ignorant; they both had their lawyers look at the contract and they signed off on it. So either the lawyers at both companies are mistaken or mislead, or somewhere after the initial scoping the scope changed (which, btw, happens all the time) and nobody updated legal or felt the need to update management or raise a concern And that's concerning, regardless of which option it is. Either the legal teams at both companies are ill-informed or outright ignorant (perhaps intentionally), or there are no checks -- and no responsible project managers -- in place to prevent this from occurring. Somewhere along the line, someone should have suggested that this was perhaps not cool, and taken the issue up the chain of command. Most healthcare companies have a well established process in place for that, and I can't believe either of these would be different in that respect. |
|
|
You should read what both Google and Ascension has said about this -- the data is intentionally not being de-identified, although it's not clear as to what the rationale for that decision is.
Even if it were, though, de-identification isn't actually very effective, particularly if you have easy access to a mountain of other personal data (such as Google has).
> Neither company is small or ignorant; they both had their lawyers look at the contract and they signed off on it.
I'm quite certain that, at worst, both companies think that they can get away with this legally. Even if it's entirely legal, though, that in no way means it's right or acceptable.