The Wall Street Journal started investigating big tech's data storage agreements with hospitals and health systems last fall and hasn't stopped. The picture emerging shows that while these deals have not yet led to actual sharing of identifiable data, there is nothing in place to prevent that from happening. Plus, even de-identified data poses a risk to health information privacy.
We recently reported on the challenges hospitals and health systems face protecting the privacy of patient data they collect, particularly when they choose to partner with data giants such as Amazon, Google, and Microsoft. Our report focused on a deal between Google and Ascension, a chain of 2,600 hospitals and clinician offices that raised eyebrows because Google was apparently given non- anonymized health records data without knowledge or approval of patients.
Details of the Google-Ascension deal were first reported by The Wall Street Journal in an article and subsequent podcast. Since then, WSJ has done even more digging and discovered other relationships that resemble the Google-Ascension partnership. Specifically:
- Intermountain Healthcare has an agreement that permits Google to access patient health records, according to WSJ. "Neither Google nor Intermountain told patients about [the arrangement]," noted WSJ reporter Rob Copeland in an accompanying podcast. Intermountain insists that it did not provide Google with identifiable information. Furthermore, even though the agreement is in place, the two organizations are not working on projects together.
- A similar arrangement between Google and the University of Chicago Medical Center, demonstrates how even de-identified data can eventually become identifiable, notes the WSJ article. A federal lawsuit from a patient, reported in October 2019 by Bloomberg Law, contends that even though the information is de-identified, identifying the patient is possible using other data Google has about the patient. In other words, Google can use its search data and health data to put together a puzzle that identifies the patient.
- Google and Mayo Clinic have struck a partnership we reported on previously. According to Copeland, as quoted in the podcast, "Mayo…was very careful to say it was [sharing] anonymized patient data [with Google]. But it turns out the deal explicitly allows Google to have access to Mayo's personally identifiable patient data." So far, no such data has been shared, yet the agreement allows such sharing to take place.
You may notice a common theme running through these three instances of data sharing. That is, the health systems say they have not shared personally identifiable information with Google. However, according to privacy advocates, that misses the point. WSJ's reporting shows that agreements for such sharing are in place. Moreover, the case involving the University of Chicago underscores that it's not that difficult for Google to identify someone even from de-identified data.
Furthermore, the growing reliance on cloud-based data storage services has raised concern elsewhere, specifically, restrictive contractual limitations. In healthcare, the stakes are high.
The issue is not just limited to hospitals and health systems. Government-based behemoths are susceptible, too. As The Washington Post reported recently, back in 2017, Google and the National Institutes of Health (NIH) put the brakes on a project involving more than 100,000 chest X-rays that Google was about the gain access to -- until it was determined that some of the images could be used to identify patients. The incident did not come to light until late 2019. It highlights both the secretive nature of such deals, as well as potential privacy pitfalls.
We've already shared with you the advice of Jordan Seth Laser, MD, Associate Professor, Donald and Barbara Zucker School of Medicine at Hofstra/Northwell, and member of the Precision Medicine Institute's Advisory Board: Follow the recommendations of the Future of Privacy Forum.
Jordan Seth Laser, MD (above), Associate Professor at the Donald and Barbara Zucker School of Medicine at Hofstra/Northwell, says hospitals stand to lose a lot if patients do not know their data is being shared.
Laser recently added that although the Future of Privacy Forum offers recommendations and not requirements, hospitals and health systems must be entirely transparent about data sharing.
"Patients need to understand what data is going to be collected and how it is going to be used and shared," Laser says. And while it's certainly not illegal for hospital and health system leaders to strike these kinds of deals with tech giants, Laser notes that systems that are not transparent with patients may ultimately sacrifice trust.
Finally, he added, besides transparency, patients have a right to make choices about their data. "Patients must always have access to their data, as well as the ability to correct or delete it at any time."
The U.S. Department of Health and Human Services (HHS) offers some guidance on understanding HIPAA obligations with regard to cloud services providers. Ultimately, health information privacy and security represent only a fraction of the risks.
-- Dean Celia