While we’re over here discussing whether the language in our HIPAA authorization forms meets regulatory requirements, Google is digging away at a trove of what’s been described as “tens of millions” of individuals’ health data, according to published reports.
The Wall Street Journal first reported on this so-called “Project Nightingale.” (Please excuse the formatting of material at the link; we don’t have a Wall Street Journal subscription, so we downloaded the text from another database to which we subscribe.) Per the WSJ, the data amount to “a complete health history,” including patient names and dates of birth, lab results, diagnoses, and hospitalizations. At least 150 Google employees are thought to have access to the material.
The project’s purpose, according to the WSJ, is, in part, “to design new software, underpinned by advanced artificial intelligence and machine learning,” zeroing in on individual patients to suggest changes to their care. Per the article, neither the doctors nor the patients involved were notified of this sharing. However, the activity is described as being in compliance with HIPAA requirements.
Naturally, when this data sharing was made public, statements were made by the parties involved. This article has links to several of them.
It seems like Google already has access to plenty of personal data — it knows what topics you’ve tried to research, for example, and then sends you ads about it. Can it link that information up with this health data? And while Google says it has taken steps to protect the confidentiality of the data, its work in this case is not subject to the Common Rule’s confidentiality requirements and does not have to be reviewed by an IRB.