On November 11, 2019, the Wall Street Journal revealed details about Google’s partnership with one of the nation’s largest healthcare providers: Ascension. The project, dubbed “Project Nightingale,” is described as “the largest in a series of efforts by Silicon Valley giants to gain access to personal health data and establish a toehold in the massive health-care industry.” But what, exactly, does the project entail? In this post, we’ll cover everything you need to know about “Project Nightingale” from who has been affected to what it reveals about data privacy and the american healthcare system.

What exactly is Project Nightingale?

Ascension, the United States’ second-largest healthcare provider, partnered with Google in order to move all patient records to the tech giant’s Cloud. According to the report, the goal of this migration was to improve care via a new Google-powered system called “Patient Search” that breaks down medical record silos. Specifically, through Patient Search, healthcare providers can access an “Overview Page” including notes about patient medical issues, test results and medications, as well as all information from scanned documents. That said, Patient Search is only a piece of the puzzle. Additionally, all patient data collected has been provided to Google for use in their new AI-fueled software which aims to identify individual patients and suggest changes to their care.

How does the project use patient data?

 

Screen Shot 2019-11-18 at 1.03.06 PM

 

Project Nightingale covers lab results, doctor diagnoses, hospitalization records, lab tests, medical conditions, medications, and much more. But, how exactly has this data been handled and processed? According to the Wall Street Journal, here’s how it works:

  1. When a patient checks into a hospital, doctor’s office, or senior care center associated with Ascension, their healthcare provider inputs their data into the system.
  2. Once submitted, the patient’s data instantly goes into Google’s Project Nightingale.
  3. After the system receives data, Project Nightingale may, in turn, may respond with:
    1. Treatment plans, test suggestions, flags in unusual care.
    2. Replacement or additions of doctors to patient’s team.
    3. Additional enforcement of narcotics policies as needed.
    4. Suggestions for billing based on procedural data uploaded.

Both Ascension and Google are saying they have adhered to strict data security and protection efforts. Additionally, Google also stated that “Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.”

Why was Google able to access data without consent?

While most may associate the Health Insurance Portability and Accountability Act (HIPPA) with medical privacy, the law actually allows for health care providers to share patient data with business associates without consent if that data is used for “quality improvement.” In spite of this loophole, some experts still have concerns over the level of detail that has been shared. In an interview with Wired, Mark Rothstein, a bioethicist and public health law scholar, expresses concern that Google was provided with individually identifiable patient data, “The fact that this data is individually identifiable suggests there’s an ultimate use where a person’s identity is going to be important...if the goal was just to develop a model that would be valuable for making better-informed decisions, then you can do that with de-identified data. This suggests that’s not exactly what they’re after.”

When did Project Nightingale start?

Google began Project Nightingale in secret last year across all of Ascension’s 2,600 hospitals, doctors’ offices and other facilities, with the data sharing accelerating since summer 2019, according to internal documents.

Where is Project Nightingale taking place?

Ascension facilities across 21 states. Google’s Patient Search has launched in Florida and Texas.

Who does Project Nightingale involve?

Any patients who received services at an Ascension facility most likely had their data shared with Google. According to reports, at least 150 employees at Google have access to a significant portion of the health data Ascension handed over on millions of people.

Neither patients nor doctors were notified of this relationship with Google, according to The Wall Street Journal.

Ultimately, this announcement shows that privacy laws must be able to keep up with the reality of modern data collection. When HIPPA was enacted in 1996, lawmakers could not have anticipated “quality improvement” would create loopholes leading to personal data falling into the hands of one of the biggest, most powerful data companies in the world. It also shows how easy it is for consumers to lose trust in a company that isn’t forthright about its data collection efforts. That said, not just any business can receive your medical information. Lineate, for example, works with healthcare companies on their marketing efforts but does not receive or have access to any kind of patient information because we are not “HIPPA-compliant.” Google, however, has received HIPPA compliance. Read here to learn more about how a company can become HIPPA compliant. Additionally, it is still unclear how HIPPA may or may not be impacted by the California Consumer Privacy Act—a state law which mandates Californian residents have the right to request any and all data a company has collected on them to be deleted.

Interested in creating a better strategy for managing consumer data consent? Contact us now to learn more about our Consent Manager platform.