The Office for Civil Rights in the Department of Health and Human Services has launched a federal inquiry into Google’s controversial partnership with Ascension over privacy concerns. Amid criticism, both the tech giant and the non-profit healthcare provider are firing back.

The focus of the inquiry—and the ire of many lawmakers and patients—is an initiative, code-named “Project Nightingale,” that would allow Google the personal-health information of millions of patients across the country, as first reported by The Wall Street Journal. Patients and lawmakers want assurance the private health data being collected by Google and Ascension—such as lab tests, doctor diagnoses, and medication and hospitalization history—is adequately protected.

The Office of Civil Rights (OCR), meanwhile, wants assurance the arrangement fully complies with the Privacy Rule, mandated under the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA’s Privacy Rule, which generally addresses how protected health information (PHI) can be used and disclosed, covered entities can use and disclose protected health information without patient authorization, but for very specific purposes.

In response to media reports, Google published an FAQ addressing details on the project and, further, how it protects patient data. Google said the partnership is intended to “optimize the health and wellness of individuals and communities through technology.”

The partnership will work like this: Ascension will not only move its infrastructure to Google Cloud and its productivity software to G Suite but is also working with Google to pilot tools for physicians and nurses to use in patient care. “Specifically, we are piloting tools that could help Ascension’s doctors and nurses more quickly and easily access relevant patient information, in a consolidated view,” Google explained.

In a blog post written in response to media inquiries, Ascension, too, touted the benefits of using artificial intelligence and machine-learning technologies for healthcare purposes. “Artificial intelligence holds promise to help physicians more effectively and efficiently treat patients,” said Eduardo Conrado executive vice president, strategy and innovations, at Ascension. “Our products in development will help improve care delivery and address well-documented interoperability pain points within the healthcare system.”

Privacy compliance

Both Google and Ascension described how they are protecting patient data in relation to the partnership. This is what Google had to say:

  • Data is logically siloed to Ascension, housed within a virtual private space, and encrypted with dedicated keys.
  • Patient data remains in that secure environment and is not used for any other purpose than servicing the product on behalf of Ascension.
  • There are access logs for any individual who might come in contact with PHI in the process of helping Ascension configure and test tools, to ensure all policies are followed.
  • Finally, these systems are included in Google’s annual compliance audits for ISO 27001 certification and SOC 2/3. These are procedures in which external auditors check the systems and processes in place to guarantee access control, data isolation, logging, and auditing.

For its part, Ascension commented that “Google is not permitted to use the data for marketing or research purposes.” Conrado went on to explain in the blog post that Google’s work with Ascension is covered by a Business Associate Agreement that governs PHI.

“Any exchange of PHI in connection with this work is for the purpose of helping our providers support patient care,” he said. “This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care. Our data will always be separate from Google’s consumer data, and it will never be used by Google for purposes such as targeting consumers for advertising.”

Secret deal?

In their statements, both Google and Ascension denied any secrecy behind the partnership. “Our work with Ascension was not a secret,” Google said in its FAQ, adding the arrangement was first announced—albeit, cryptically—in a July 25 earnings call. “Google Cloud’s AI and [machine-learning] solutions are also helping healthcare organizations like Sanofi accelerate drug discovery and Ascension improve the healthcare experience and outcomes,” Google CEO Sundar Pichai said on the call.

Ascension, too, fired back in its blog post that the deal “has been anything but secret,” albeit from an internal standpoint: “Acute care administrative and clinical leaders across Ascension have been informed of the work, enterprise-wide webinars have been held, and the clinical leaders of our employed physician group have been informed in detail about the project,” Conrado said.

He also stressed the widespread use of such a practice: “Hospitals and clinical software vendors across the country have converted, or are in the process of converting, to electronic health records stored in the cloud, and soon the entire industry will be adopting this approach.”

The initial WSJ report said “neither patients nor doctors [had] been notified” of the partnership and “at least 150 Google employees already have access to much of the data on tens of millions of patients.”

No matter the outcome of the federal inquiry, the arrangement between Google and Ascension should serve as a warning to all tech giants—like Apple, Amazon, and Microsoft—who are also dabbling in the healthcare space.