By Andrew Owen, Office of the Indiana Attorney General
The next big partnership between health and tech has come, and it raises questions about health data and the role these partnerships have in protecting patients’ sensitive information.
Ascension, one of the country’s largest nonprofit health systems, and Google, the tech giant that provides us products from smartphones to home assistants and services such as search engines and maps, have entered into a partnership to work together to store and analyze patient data to give new insight on the best way to care for patients.
While the details have not been released in full, Ascension will be integrating its health data to a cloud system operated by Google, which will then allow Google to utilize its advanced algorithms to, hopefully, better serve Ascension’s patients.
Such partnerships between provider networks and technology companies are not new. Last year Amazon, Berkshire Hathaway, JPMorgan Chase announced Haven, a non-profit company focused on tackling issues of quality, service, and high costs of healthcare.
Ascension and Google have stressed that they understand the delicate nature of handling patient information and the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) implications in play here. However, there are some concerns by the public due to past issues with Google using individuals’ data to track and sell ads.
As an example, Google agreed to pay $170 million to the Federal Trade Commission and the New York Attorney General’s Office on September 4, 2019 in connection with YouTube’s, a subsidiary of Google, illegal collecting of personal information from children, a violation of the Children’s Online Privacy Protection Act (COPPA) Rule, and use of that information to generate targeted ads.
Similar to COPPA, an improper use of private health information would be a clear violation of HIPAA and HITECH and could result in monumental monetary fines by the Centers for Medicare & Medicaid Services (CMS) and state governments. On top of that, given the sensitive nature of the data in question here, providers and companies wishing to enter into similar arrangements will need to take extra precautions to ensure that data being collected is protected from outside threats and is being used in accordance with the care of the patient.
In similar stories that have to do directly with health law, Google and the University of Chicago are currently involved in a suit over the misuse of patient data. In the complaint, Matt Dinerstein, on behalf of the established class, claims that the University of Chicago improperly gave Google access to his and other similarly situated patient records. You can find a copy of the complaint here. The suit is ongoing and the defendants, in that case, have recently moved to have the complaint dismissed, but it still highlights the possible issues arising from similar arrangements.
In Indiana, patients can file Health Insurance Portability and Accountability Act (HIPAA) complaints directly with the U.S. Office for Civil Rights, the Indiana Office of the Attorney General and the Indiana State Department of Health. While there is no private cause of action for a HIPAA violation, as seen in the Google and University of Chicago case, that does not mean that there are no options for private causes of actions for individuals who believe that their personal health information was used for an improper purpose.
It is clear that the line between health care and technology is continually becoming fuzzier as the major players in both markets continue to utilize each other to pursue joint interests. As this relationship advances and the health care industry relies more on the ability of the tech industry, both parties will have to assure that the private information of the patients is protected and being used appropriately.