Handling sensitive patient data is a new norm for technology companies, especially those providing hospitals and doctors administrative and cloud services.
Which is why health experts were not fazed by a revelation that Google (GOOG) had access to patient data via a recently-disclosed agreement with health network Ascension. Yet the growing backlash also exposes the lack of knowledge consumers have about the myriad laws that govern their health data — and wariness the general public has about Big Tech.
“The arrangement between Google and Ascension most likely conforms to the requirements of the business associate agreement,” Katherine Hempstead, a health policy expert at the Robert Wood Johnson Foundation, told Yahoo Finance.
The agreement referenced by Hempstead is a part of the Health Insurance Portability and Accountability Act of 1996. Otherwise known as HIPAA, the law allows third-party access to patient health information, based on a framework the two parties outline.
Yet a dearth of awareness about how HIPAA works, and the steady encroachment of tech companies in the health sector, is converging in the debate over the Google-Ascension deal.
“We lack a common understanding about patient data privacy,” Hempstead said.
“Many people worry that their health data will be combined with their other personal consumer data, and recent vertical integrations and other types of data-sharing relationships between health and non-health firms heighten those concerns,” she added.
Data, health privacy collide
In fact, patient health data is already being stored digitally in electronic medical records and through claims data with insurers. Like every other major cache of consumer data, these records have also been susceptible to data breaches over the years — and health companies have paid hefty fines as a result.
The Office for Civil Rights in the U.S. Department of Health and Human Services (HHS) tracks these data breaches. It is the federal entity investigating the relationship between Google and Ascension, one of the largest health systems in the country.
“Some of the solutions we are working on with Ascension are not yet in active clinical deployment, but rather are in early testing. This is one of the reasons we used a code name for the work—in this case, ‘Nightingale,’” Google’s Tariq Shaukat wrote.
Amid speculation the agreement was a way to monetize patient information, Eduardo Conrado, executive vice president of strategy and innovations at Ascension, said that the patient data being stored is not allowed to be used for any marketing. It also is in keeping with the industry’s trend toward cloud storage, he wrote.
“Hospitals and clinical software vendors across the country have converted or are in the process of converting to electronic health records stored in the cloud, and soon the entire industry will be adopting this approach,” Conrado said.
The duo said that any characterization of trying to bill patients more was incorrect, and that the goal was to create a more efficient system— the outline of which mirrors previous attempts to us artificial intelligence to help diagnose and treat patients.
“The goal is to be able to pull clinical information from many different systems and sites of care into a consolidated view, so caregivers are able to make the best decision for patients,” Conrado said.
The issue also underscores how much more awareness is needed around digital privacy, experts said.
Zack Cooper, a health policy expert and assistant professor at Yale’s School of Public Health, told Yahoo Finance that Google likely knows more sensitive information about users than any doctor.
“Google knows a lot more about me that’s sensitive, from my search history than they do from a medical record,” he said.
Which is why there has been concern about matching consumer and patient information.
But even if Google’s and Ascension’s relationship is HIPAA-compliant. It could be delving into what one expert said is a “gray area” of health data privacy— a result of the law being unable to change at the pace of technology.
“Where I think there’s a gap between HIPAA compliance and consumer expectation is what we’re seeing around the country with these other laws being enacted that go beyond HIPAA,” Elizabeth Litten, a partner at Fox Rothschild LLP, told Yahoo Finance Wednesday.
HIPAA may be the most comprehensive law, and covers thing like electronic medical records and health apps, but it doesn’t cover wearables and anonymized data, Litten said.
Wearables is an area Google also recently entered with its purchase of Fitbit.
States like California and Vermont have data broker laws, which covers the collection and sale of personal information to third parties that HIPAA misses.
But it remains to be seen what the HHS finds and how they address the concerns.
However, Hempstead said the problem is beyond health care.
“Not just in health care but more generally,” she said, “we are not doing a good job communicating to people how their personal data may be used and when and how they can exercise agency.”
Anjalee Khemlani is a reporter at Yahoo Finance. Follow her on Twitter: @AnjKhem