Google Stumbles into Healthcare

Original story posted on: November 20, 2019

Google’s researchers apparently didn’t obtain HIPAA releases from patients.

Recently, Google has made some stunning stumbles as it moves into the realm of handling healthcare data. 

First, this is surprising, considering the growing distrust among the public and regulators of platforms like Google and Facebook. Second, and more surprisingly, it seems Google failed to make sure it brought people to the projects who understood HIPAA.

On Nov. 11, Ascension announced on its website:

“Ascension, one of the nation’s leading non-profit health systems, is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients, and clinical providers across the continuum of care.”

“The Ascension-Google collaboration will include:    

  • Modernizing Ascension’s infrastructure by transitioning to the secure, reliable, and intelligent Google Cloud Platform. Key elements of this work will focus on network and system connectivity, data integration, privacy and security, and compliance.
  • Transitioning to Google’s G Suite productivity and collaboration tools. Using G Suite will enhance Ascension associates’ ability to communicate and collaborate securely in real-time, supporting interdisciplinary care and operations teams across Ascension sites of care.
  • Exploring artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”

Just days later, Google was apparently caught off-guard by what would have been one of the largest HIPAA violations in the history of HIPAA (the Health Insurance Portability and Accountability Act).

On Nov. 15, two days before Google was set to publicly post more than 100,000 images of human chest X-rays, they got a call from the National Institutes of Health (NIH), which had provided the images: and NIH noted that some of them contained details that could be used to identify the patients.

Google canceled the project. This is based on emails reviewed by The Washington Post and an interview with a person familiar with the matter, who spoke on the condition of anonymity to Washington Post reporters.

Stunningly, it appears that Google’s researchers didn’t obtain HIPAA releases from patients. They had rushed ahead without any thought of compliance issues. These assertions were apparently documented in emails the Washington Post obtained from a Freedom of Information Act request.

Considering our current political environment, in this election cycle, it would be very surprising to see regulators taking up privacy concerns like this one with Google. My question is, would you trust your medical records to the same people who don’t care if their subscribers running for elected office post fake political ads?

Timothy Powell, CPA CHCP

Timothy Powell is a nationally recognized expert on regulatory matters, including the False Claims Act, Zone Program Integrity Contractor (ZPIC) audits, and U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) compliance. He is a member of the RACmonitor editorial board and a national correspondent for Monitor Mondays.

This email address is being protected from spambots. You need JavaScript enabled to view it.

Related Articles

  • HHS Unveils Proposed HIPAA Changes
    The move is just one of many regulatory tweaks being made amid the looming presidential transition. In a landmark move made amid a flurry of other regulatory revisions affecting the healthcare industry, federal officials announced that they are proposing changes…
  • Federal Authorities May Impose Civil Penalties against Hospitals Paying Ransomware Demands
    Hospitals could be charged $250,000 or twice the demand amount, whichever is greater. In October 2020, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on potential sanction risks for facilitating ransomware payments.…
  • Do Tech Giants Violate HIPAA by Tracking Trends?
    The Social Dilemma of Health (SDoH). In March 2018, the world was shocked when it became public knowledge that Cambridge Analytica, a company based in the United Kingdom, had used data from Facebook to impact the presidential election in the…