Few things are more private than a person’s medical history. Yet without the consent of patients or their doctors, America’s second-largest health care system and Google are cooperating to share personally identifiable medical information on 50 million patients. Regardless of the intentions to improve health care, this is a violation of privacy that may require action from regulators or Congress to correct.
First reported by the Wall Street Journal, Ascension, a chain of Catholic nonprofits with hospitals and nursing homes in 21 states, made a pact with Google to move that big data into the search giant’s cloud-computing system. They hope to crunch the data and provide better health care. Code-named “Project Nightingale,” the plan immediately drew the scrutiny of regulators and lawmakers who fear that patients’ privacy is inadequately protected. At least four Democrats on the U.S. House’s Energy and Commerce Committee have already sent letters to both Google and Ascension, asking to be briefed by Dec. 6. They are right to worry.
Anyone who has visited the doctor has encountered HIPAA, the federal Health Insurance Portability and Accountability Act of 1996, which protects a patient’s privacy. Yet Project Nightingale appears to be permissible under federal law, privacy experts told the Journal, because HIPAA generally allows sharing of data with business partners if the information is used “only to help the covered entity carry out its health-care functions.” Patients would no doubt be surprised to learn it might be legal to share medical information that includes their names and birth dates even without their consent, and if an investigation determines that it is legal, it is time to beef up the law. Patients should have to consent before identifiable medical information is shared, and they should know the purpose and be fully informed.
In the age of big data, privacy and information are constantly in tension. Crunching big data using artificial intelligence can discover patterns and point to treatment in ways that weren’t possible even a few years ago. That’s good news. But it simply cannot come at the expense of breaking the confidentiality of patients and their personal medical information.
Ask yourself: Would you trust big data companies such as Google and Facebook with the most intimate details of your life? Even if the sharing might shade toward being legal in this gray area, these companies have to be absolutely transparent and seek permission first. Given their mixed track records, the optics and the ethics require nothing less.
There are solutions. Information can be precise and detailed but anonymous. Earlier this year, the Florida Legislature passed and Gov. Ron DeSantis signed a bill that allows Attorney General Ashley Moody specific and proscribed access to the state’s prescription drug database in order to bolster Florida’s case in a massive opioid lawsuit against drugmakers, distributors and pharmacies. Privacy concerns were met by stripping out a patient’s name and substituting a unique identifying number. This was an appropriate way to handle sensitive data, and it shows what can be done, but it also demonstrates the importance of balancing privacy and policy concerns in every instance.
The ability to store and distribute sensitive, intimate medical information has outstripped the laws that protect people’s privacy, not to mention the ever-present fear of hackers. We’re not far from a time when a person’s entire genome can be uploaded to the cloud. Before that happens, people need to be confident that their medical and genetic history will be shared only as they see fit.
— Tampa Bay Times