[altgoogler]

Googler here, my opinions are my own, standard disclaimer.

I'm not going to comment on this specific case but I do have almost a decade of previous non-Google experience working in clinical documentation technology.

As others have said, entering into a BAA with a covered entity, as HIPAA defines it, shouldn't be seen as a controversial action.

There are numerous problems in healthcare that are too complex for individual health systems to tackle. For example:

* Population Health: are there emergent changes in the regional population? What do you do about it? * Continuity of Care: The number of individual providers involved in a particular person's care continues to grow. How can you effectively inform the entire team--across health systems--what's most important for an individual now? How do you make sure nobody drops the ball?

To give you an idea of the scale, I have two examples. The first is MD Anderson Cancer Center in Houston. They used to have 200+ engineers working on their sophisticated home-grown EMR. It was a huge undertaking. But even with MDACC revenue, that development was unsustainable, and they moved to a 3rd party EMR vendor.

Second is the Mayo Health System. Another huge provider with facilities not just in flagship Rochester MN, but in several other sites. Again, there were realities that even at this scale internal development isn't sustainable across the board and they wound up with a $100M+ adoption of a 3rd party vendor.

And this is mostly straight-forward CRUD-level workflows. The technology is straightforward but the workflow expertise is not.

Now, try and solve some bigger problems. You're going to need help to do this at scale, and trying to solve it necessarily means giving access--not control of!--to medical records to drive R&D. It's happening right now, and Google is not the only player doing this at scale. They're not even the largest one.

Lastly HIPAA controls have real teeth, in comparison to the general consumer space (at least in the US).

[jhayward]

> To give you an idea of the scale, I have two examples. The first is MD Anderson Cancer Center in Houston. They used to have 200+ engineers working on their sophisticated home-grown EMR. It was a huge undertaking. But even with MDACC revenue, that development was unsustainable, and they moved to a 3rd party EMR vendor.

I'm not certain what aspect you are trying to highlight with this example, but readers should know that the MD Anderson implementation of the EPIC EMR system led to a 77% drop in income and layoffs approaching 1,000 people (2016-2017 time frame)[1][2]. I'm not up to date enough to know whether they have ever recovered.

[1] https://www.modernhealthcare.com/article/20170106/NEWS/17010...

[2] https://www.beckershospitalreview.com/finance/md-anderson-po...

[altgoogler]

The point is that even MDACC figured out is was too expensive to continue their own EMR.

You're correct in that literal books could be written about EMR adoption gone wrong. That doesn't change the fact that even super huge mega-health systems can't afford to do it all themselves.

[jhayward]

> The point is that even MDACC figured out is was too expensive to continue their own EMR.

I think then that the example does not prove your point. It would have been vastly better, financially and medically, for MDACC to have continued with their in-house EMR.

[inetknght]

> It would have been vastly better, financially and medically, for MDACC to have continued with their in-house EMR.

...until they (too) fall victim to "a rogue engineer" (or a "patient") coming in and plugging something into an open USB port on the workstation.

[JohnFen]

> As others have said, entering into a BAA with a covered entity, as HIPAA defines it, shouldn't be seen as a controversial action.

You place more faith in HIPAA than I do. HIPAA does not protect privacy to the degree that most people assume.

> There are numerous problems in healthcare that are too complex for individual health systems to tackle.

True, but that doesn't mean that Google is the right entity to do this. In my opinion, they're the wrong entity, because Google is not exactly trustworthy.

> Google is not the only player doing this at scale. They're not even the largest one.

But they're Google. What this sort of thing means for me is that I need to start asking medical providers if they're participating in this sort of thing with Google (or other companies that I consider bad actors), so I know which ones to avoid using.

[altgoogler]

> You place more faith in HIPAA than I do. HIPAA does not protect privacy to the degree that most people assume.

That's correct. People would be surprised at the number of HIPAA violations that happen everyday. It is, however, among the strongest and most well-enforced data privacy laws (in the US).

> True, but that doesn't mean that Google is the right entity to do this. In my opinion, they're the wrong entity, because Google is not exactly trustworthy.

You're certainly right to be concerned. I don't share your opinion about Google per se, but this is important data for our society. I'd argue that OpSec at a large provider--let's say Microsoft--is more sophisticated than a start-up. So how does an organization decide who is the "right" entity to deal with?

> But they're Google. What this sort of thing means for me is that I need to start asking medical providers if they're participating in this sort of thing with Google (or other companies that I consider bad actors), so I know which ones to avoid using.

If this is important to you, I would strongly encourage it. Our health industry is better when consumers are better informed, and can make informed decisions. Personally, it's more important to me to be able to actually know how much a procedure is going to cost rather than who owns the AI stack behind their clinical decision support system.

[JohnFen]

> So how does an organization decide who is the "right" entity to deal with?

Practically speaking, that's up to the company -- but the company needs to make sure that their clients are informed and are able to withdraw their data if they're concerned.

The larger part of what's wrong with this particular deal is that it was done in secret. Patients and doctors were not informed of this until after data has begun to be transferred. They should have been, and patients should have been given the option to remove their data from the dataset and find another health care provider if they wish.

> Personally, it's more important to me to be able to actually know how much a procedure is going to cost rather than who owns the AI stack behind their clinical decision support system.

I agree that knowing costs is very important, but we're miles away from that being a thing that is possible. In the meantime, I think it's important not to backslide in other areas such as this one.

I'd also say that my concern isn't really about who owns the stack, or the cloud. That sort of battle was lost years ago. My concern is the ability of Google to access that information.

[jammygit]

> You place more faith in HIPAA than I do. HIPAA does not protect privacy to the degree that most people assume.

Can anyone elaborate?

[JohnFen]

There are a lot of exceptions to HIPAA that people aren't aware of. Here's a reasonable explanation: https://www.universalclass.com/articles/medicine/exceptions-...

[_pgmf]

I think the issue is the fact that Google, the epitome of faceless/impenetrable data capitalism, is now holding my health records.

[altgoogler]

You're certainly entitled to that viewpoint. The point is that:

"Google's harvest of medical data includes names and full details of millions"

is hyperbole, when

"Google partners with health system on clinical documentation research" is more accurate.

I'm a proponent of more consumer control over their data, along the lines of GDPR. You could, theoretically, request that your covered entities give you a copy and then delete all of your records from their systems at any time.

Which for consumer data Google already gives you the option to do so (e.g. takeout.google.com)

[perl4ever]

"takeout.google.com"

Interesting, never heard of that. Where's the delete button?

Of course, I can't hit delete all, because I have no alternative to an Android phone other than Apple.

[coleifer]

Moving the goalposts.