"Hey, Google," "What was my LDL cholesterol from last year's checkup?"
With the inevitable interoperability rules being enacted by HHS agencies, some of us may be asking Google or Alexa questions about information in our personal health records. The new rules will allow patients to give third-party apps access to their PHI. Big tech has been courting healthcare for some time now. Google launched its repository Google Health in 2006 but shut it down in 2012 due to a lack of adoption. But that didn't stop their efforts to take part in the changing healthcare landscape. There are questions and debates about what their role will be as healthcare evolves into the connected world. We see apparent benefits and concerns with the developing relationship.
Most people use Google as a primary search engine. In 2018 they had 70% of the search market and claim 1 billion health-related questions every day. They have decided to capitalize on this interest by investing heavily in digital health startups, partnering with EHR vendor Meditech for storage, adding an EHR voice assistant to their cloud, and purchasing Fitbit. They are also teaming up with Ascension, a healthcare system that operates 150 hospitals in 20 states and the District of Columbia, to work on search support for EHRs, which sounds like some relief to EHR usability problem that physicians are experiencing. But that is also where questions start to arise.
In the partnership with Ascension, they began migrating up to 50 million patient records to Google's cloud storage without notifying the patients themselves.. A whistleblower exposed the process, called "Project Nightingale". Google has stored the data of other institutions before, but they were encrypted records, only accessible to the healthcare institution. HHS Office of Human Rights has launched an inquiry to see if any HIPAA rules are being violated since Google employees on the project have access to the PHI. This is a form of breach known as unauthorized access where the employees weren't approved to handle the data in this way, even if none of the data is actually used for explicitly criminal purposes. If it is found to be in violation of HIPAA rules and defined as a data breach, it would be the second-largest ever behind a breach at Anthem in 2014 where over 78 million individuals had PHI potentially stolen.
This case of Google storing complete records raises the questions of what they would be able to do with the records and what are the safety protections involved in securing the data. Given Google's record of using data, for better or worse, for various other uses, do Ascension patients want their data in Google's possession? If I get diagnosed by my PCP for high cholesterol in a checkup, will I start getting bombarded by Lipitor ads before I get to my car to drive home?
Another thing to consider: those with data at Ascension didn't have the choice to opt-out of the handover to a third party for storage. This is just one of the challenges as interoperability and cloud storage becomes adopted more throughout the healthcare system. If a healthcare organization wants to store PHI with someone else what are the patients' rights to their data? Should they be able to opt-out? Or is there a tacit agreement? In this case, it was moved without notification. Was Ascension just trying to save money, or did they think there would be a backlash?
There is a lot to figure out here. What impact will these questions have on existing and upcoming regulations? Are we moving towards a model where big tech is where our health data will live? We are at a turning point in health data. Google's integration into healthcare will be interesting. We will look at some of the other solutions, big tech and otherwise, for patient data in future posts.