Google Health gets 50 million patient records full of tasty data. It’s over folks. Minority Report style predictions coming your way. Just imagine it, Google starts showing you ads for sugar-free candy and weight watchers, Google’s ad-targeting algorithms have welcomed you to pre-diabetes.

I’ve been trying to make heads and tails of this story.

You throw Google into the mix and it immediately makes for a good headline. Replace Google with Optum, HealthCatalyst or 3M and this never makes the front-page. My first instinct was to just ignore the hoopla but as the days went on, I couldn’t resist.

The story started with a ‘leak’’ from a Google whistle-blower (GWB). Eventually, they shared their concerns and motivations with us directly:

“Two simple questions kept hounding me: did patients know about the transfer of their data to the tech giant? Should they be informed and given a chance to opt-in or out?”

Respectively, they answered yes and no. And here lies the crux of it. The GWB is concerned about patients not knowing that this project is happening. But the reality is HIPAA allows these sort of partnerships without patient consent and it happens all the time. When data is used for ‘Health Care Operations’ patient consent is not required. 

Per the HHS:

“Health care operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.”

The bottom line, the provision on health care operations is fairly broad and easily allows for the Google and Ascension data sharing. Google is acting as a partner to help Ascension with their operations, all kosher. Google doesn’t get to own any of the data themselves. 

Now if the whistle-blower alleged that Google was taking this data and somehow siphoning some of it off for their own nefarious purposes. That would be illegal and sensational. But they don’t assert this beyond saying that it could happen if we are not careful. To me, really the GWB should be upset with HIPAA and it’s allowing healthcare providers to use PHI data for the business side of healthcare. And it is most certainly a business, lest some of us forget.

HIPAA too soft?

This made me think, is HIPAA too soft? Imagine the alternative - patient consent for every business need. That can quickly become quite stifling for innovation. Those familiar with the IRB and other research protocols, applying the same standards to operational improvements, I believe that would be deathly crippling for an already change-resistant system.

Another note, for some things you certainly can use de-identified data but for things like combining disparate data sources (i.e. what Google is helping Ascension with across its many systems), you literally need all the identifiers to create the full patient record.)

Ascension’s response by their EVP of Strategy and Innovation hits back on some of the clickbaity items. To summarize, hey we didn’t keep it a secret, it’s all kosher under the rules, data is safe and secure, and we are trying to fix a huge interoperability problem not send you targeted ads. 

Fair enough. Don’t be evil and all that.

For Google, the experience for their engineers of working with all sorts of healthcare data at scale is priceless. Can one of them be inspired by some ad-hoc analysis to create a new pre-diabetes ad targeting algorithm? Yep. But can they take actual patient data to create such an algorithm? Nope. If anyone has some good logging and auditing in place, to prevent data cowboys from breaking the rules. I bet it’s Google. Random data analysts at Ascension working with some legacy EHR, how’s the logging and auditing on that system? I’d guess, not as robust.

My takeaway/TLDR:

Google analyzing and storing 50 million patient records without patient knowledge can bring in a lot of clicks to your article. But beyond that, this is nothing new or that exciting. Players like Optum, HealthCatalyst and Blue Cross Blue Shield are crunching many millions of records. Maybe the HIPAA ‘healthcare operations’ provision is too broad but the alternative seems worse. I for one am excited that big tech is trying to drag healthcare into a more efficient digital future. But then again, I’ve always been a tech optimist and Silicon Valley fan.

Google vs. Apple vs. Amazon vs. Microsoft. Who will actually disrupt healthcare? 

I am taking bets at pavel@datapavel.com