Google is one of the largest public companies in the world. Ascension Medical Group is the largest Catholic healthcare system in the United States. A recent report in the Wall Street Journal has confirmed that the two companies are working on something big: Project Nightingale. According to Ascension in a joint press release with Google, through Project Nightingale, Ascension “is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.” Through this collaboration, Google has been given access to a huge amount of information. As far as HIPAA is concerned, however, it appears Google Project Nightingale has done nothing illegal, nor has Ascension violated HIPAA.
What is Google Project Nightingale?
The existence of Project Nightingale had been kept under the radar prior to the November 2019 WSJ report. The report claims that over 100 Google employees have (allegedly) been able to access patient data as part of the project.
A whistleblower who claims to have first-hand knowledge of the project, has expressed concerns that patients are being kept “in the dark” about the collaboration – that their medical records are being shared “without their consent.” This whistleblower, whose name has not yet been revealed, posted a video on the social media platform containing a “document dump” of images of confidential files the whistleblower claims are related to the project. The whistleblower has alleged (and many news stories have reported) that the data collection either implicates or actually violates the HIPAA Privacy Rule.
Project Nightingale Has Not Violated HIPAA
Google has stated that it is operating simply as a business associate of Ascension. The work Google is performing for Ascension, consists of designing a health platform for Ascension that can suggest individualized treatment plans, tests, and procedures.
Under the HIPAA Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization. Such authorization is not required, however, for payment, treatment, or healthcare operations performed either by the covered entity or a business associate of that covered entity. Google claims it is compiling and testing a platform, which, if it functions, can be sold to other healthcare providers.
Healthcare operations include health “quality improvement activities”; the above activities Google is performing appear to fall squarely within the definition of “quality improvement activities.” As such, the activities are considered healthcare operations, and individual authorization is not required for the sharing between the companies.
As an attorney at the law firm Mintz stated, “If you’re shocked that your entire medical record just went to a giant company like Google, it doesn’t make you feel better that [the sharing without consent] is “reasonable” under HIPAA.” But, the attorney added, “it is.”
Of course, Google and Ascension are both required to comply with both the HIPAA Privacy Rule and the HIPAA Security Rule during any project activities. What is important to note, though, is the sharing alone (from the facts publicly available so far), does not constitute a HIPAA violation.