Hospitals and health systems are striking deals with Amazon, Google, Microsoft, and others in healthcare data storage partnerships and management agreements. It makes sense, given the roadblocks encountered when managing alone. Understand, however, that whistleblowers and others loom. Consider these best practices to avoid privacy lapses
As organizations such as Amazon, Google, and Microsoft strike deals in data storage partnerships and management arrangements for hospitals and health systems, hospital leaders are taking notice. These tech companies offer vast amounts of expertise, more storage capacity that allows projects to scale quickly, and an option to buy a solution versus building it from scratch.
As reported in September 2019 in The Wall Street Journal, a number of hospitals and health systems have invested heavily in their own data storage in an effort to ensure security and privacy. But many have found lack of capacity to be a roadblock, and thus are seeking help from outsiders. In July 2019, Microsoft unveiled a new partnership with Providence St. Joseph Health that is designed to accelerate digital health, and Amazon said it would help Cerner Corp store data in the cloud for its electronic medical record system. Then, in September, Google announced a 10-year deal with Mayo Clinic to host its medical and genetic data.
According to a Google blog post, in addition to data storage, Google Cloud will work with Mayo Clinic to "create machine-learning models for serious and complex diseases." Mayo plans to share these solutions with other caregivers worldwide in order to improve outcomes. Google also plans to open a new office in Rochester, MN, "working alongside Mayo Clinic's ... medical experts and researchers."
"Increasingly, consumers are expecting high-quality, accessible health care balanced with affordable costs and increased transparency," notes Cerner, explaining its partnership with Amazon. Officials have been careful to ensure that privacy and data protection will be of paramount importance.
Addressing the Google-Mayo partnership, the WSJ article reported that "patient records will be kept private and access will be controlled by Mayo. Data used to develop new software will be stripped of any further information that could identify individual patients before it is shared with the tech giant."
As with most tech endeavors, there are two sides to the proverbial coin. Many consumers find the ability to deposit a check by simply snapping a photo of it with their smartphone to be an invaluable timesaver. But such convenience comes with the tradeoff that their banking data is vulnerable to breaches. The same is true for health data. For that reason, hospital leaders are not the only ones paying attention to the health system-tech deals. Whistleblowers, investigative journalists, and the federal government are jumping into the fray.
When it comes to a hospital or health system partnership with a tech data giant like Amazon, Google, Microsoft, and others, Jordan Seth Laser, MD (above), Associate Professor at the Donald and Barbara Zucker School of Medicine at Hofstra/Northwell, says don't be tempted by the quick path of not offering the option to opt in. (Photo copyright: Northwell Health.)
Hospitals and Health Systems with Large Stores of Data Advised to Monitor Health Information Tech Deals
On Nov. 11, 2019, WSJ published an article regarding an agreement between Google and Ascension, a chain of 2,600 hospitals and clinician offices that operates in 21 states and Washington, DC. According to the investigative piece, data-including lab results, diagnoses, hospitalization records, and other information that may include patient names and dates of birth-are being included in the project.
"At least 150 Google employees already have access to much of the data on tens of millions of patients," noted the WSJ article based on information obtained from an anonymous source who claimed to be familiar with the matter. What's more, the data was reportedly not anonymized. In an accompanying podcast, WSJ reporter Rob Copeland, who covers Google, said, "We're talking about lab test [results], your [body] temperature, your name, your date of birth, every doctor you visited, every diagnosis that you have had, the medicines you have taken, insurance billing ."
According to Copeland's reporting, the non-anonymized data is being shared without the knowledge of patients or clinicians. Ascension has responded by asserting that Google mentioned the partnership during a quarterly earnings call in July 2019. Additionally, "acute care administrative and clinical leaders across Ascension have been informed of the work, enterprise-wide webinars have been held, and the clinical leaders of our employed physician group have been informed in detail about the project. In our deployment sites, front-line nurses and clinicians have not only been informed but have actively participated in the project."
Ascension goes on to say that it and Google are abiding by HIPAA laws, and that the two organizations have a Business Associate Agreement (BAA) that governs Protected Health Information (PHI).
Health Data Management Partnerships: Legal Requirements of Tech Giant Data Deals Unknown
Our read of the situation is that Google and Ascension have done the bare minimum to meet legal requirements, but in this day and age when data appears more vulnerable than ever, that is not enough. It is not a good look to simply do what's required and not inform patients, and then play catch-up by responding to questions about negative press reports.
Yet the conundrum is understandable if you consider recent history. "The entire Silicon Valley business model in 2019 is based on knowing as much as they can about you the individual," notes Copeland on the podcast. "The big tech companies have your location, they read your emails, they know what you bought online. The thing they don't have right now is health. And Google, which was founded on the idea of organizing the world's information, has long looked at this and said, 'This is information that is rightfully ours to collate.'"
If Tech Companies Partner With Hospitals This Becomes Neither an Opt-In Nor Opt-Out System for Patients
Copeland went on to explain that Google tried to get into the health space 10 years ago with Google Health, an initiative that failed to gain traction. The reason? Google Health was an opt-in system. "When consumers have the choice, they generally don't choose to participate." Tech companies came to realize if they partnered with hospitals, it becomes neither an opt-in nor opt-out system."
The struggle between giving patients a say in whether their non-anonymized data is shared, versus the need to build up critical mass where opt-in gets in the way, won't be going away anytime soon. Indeed, expect more whistleblowers (or at least hard questions) as similar projects gain momentum. The anonymous source for the WSJ article-a participant in the Google-Ascension project-recently told The Guardian why s/he decided to cooperate with the Journal. "Two simple questions kept hounding me: Did patients know about the transfer of their data to the tech giant? Should they be informed and given a chance to opt in or out?"
And now the federal government is getting involved. Shortly after WSJ published its report, several US senators, including Richard Blumenthal (D-CT), Mark Warner (D-VA), Amy Klobuchar (D-MN), and Lisa Murkowski (R-AK) issued statements expressing alarm about the partnership. Warner called for the project to be stopped, pending a federal investigation.
Advice for Hospitals and Health Systems Considering Health Data Storage Partnership or Management Options
For hospital and health system leaders who are already knee-deep in data collection, or considering going there soon, the advice is simple, notes Jordan Seth Laser, MD, Associate Professor at the Donald and Barbara Zucker School of Medicine at Hofstra/Northwell, and member of the Precision Medicine Institute's Advisory Board: Don't be tempted by the quick path that not offering opt-in affords. Instead, follow the recommendations offered by the Future of Privacy Forum.
Laser acknowledges that the best practices put forth by the Future of Privacy Forum are intended for consumer genetic testing companies, "yet they are extremely applicable" to hospital leaders whose organizations are collecting and seeking to optimize data. Specifically, hospitals and health systems should:
- Not share genetic data with employers, insurance companies, and educational institutions without consent;
- Require valid legal process for disclosing genetic data to law enforcement; and
- Employ strong data security practices and privacy design.