[vechagup]

If you're a covered entity (CE) under HIPAA, you are allowed to have business associates (BAs). BAs are other parties that the CE exchanges PHI with in order to provide services (billing companies, cloud storage providers, etc.). According to the HITECH Act, BAs are bound by the provisions of HIPAA.

Per their press release (https://cloud.google.com/blog/topics/inside-google-cloud/our...), Google is playing the role of a BA as a part of this deal. They have signed a business associate agreement (BAA), as HIPAA requires. This agreement will have defined the permitted uses for the PHI that Ascension is transmitting to Google.

Basically this all sounds utterly ordinary. It's 2019 and even healthcare companies want to be in The Cloud (and especially want to be associated with AI and ML). My last company stored lots PHI in AWS. AWS signed a BAA with us. Now, if someone at Google with access to this PHI misuses it (e.g., accesses it for an invalid reason or sells it on the black market), then they could be in violation of HIPAA and face penalties. But the mere fact that a covered entity is transferring data to a business associate in no way suggests a HIPAA violation its own.

(Disclosure: I work at Google, but know nothing about this project.)