We relinquish all kinds of data to tech companies in exchange for convenience. We hand over our location, our heart rates and even imprints of our eyeballs because we want to order an Uber, track a workout or get through airport security faster. But we expect one thing to be mostly kept private: our medical histories.
In a way, our health information is the last sacrosanct piece of personal information. That’s why people were so surprised to learn Google had a deal with Ascension to handle tens of millions of patient records, including full names, test results and diagnoses.
They’re right to be confused: Aren’t there laws that protect patients when it comes to health information? Multiple people tweeted: What about HIPAA? Not everyone is familiar with the particulars of the Health Insurance Portability and Accountability Act but most people have sat in a doctor’s office and filled out a pile of paperwork that seemed to suggest we have some control over who sees our medical information.
The answer: Technology is moving faster than regulation. HIPAA was written, and has been amended, with a few objectives in mind: Allowing people to keep their insurance coverage if they change or lose their jobs; developing a set of standards that would allow health-care providers to adopt new technologies, such as electronic medical-record keeping, while still protecting patient privacy; and giving patients the right to request and direct their electronic health information to third parties.
SHARE YOUR THOUGHTS
How comfortable are you with large tech companies handling your personal health information? Do the potential benefits to patients outweigh your concerns about privacy? Join the conversation below.
HIPAA became law back in 1996. Google hadn’t yet been founded. Neither had Facebook Inc. Amazon. com Inc. was in its infancy. Apple Inc. was on the brink of extinction. All are now tech giants with ambitions of their own in the health-care space. And, as competitors, secrecy tends to be their default mode.
While there’s potential for some of the world’s best engineering minds and the most powerful algorithms to improve care and lower costs, there’s also the risk of negative consequences for patients, who could see the entry of technology firms affect their insurance or be targeted with ads related to their health conditions. The regulations in place now to protect the interests of patients aren’t set up for what’s already happening, or for what’s coming, say experts.
Gaps in the framework
“We have these enormous gaps in our regulatory framework,” says Deven McGraw, chief compliance officer for the health tech startup Ciitizen and a former official with the Department of Health and Human Services agency that enforces HIPAA privacy and security rules. “It was never intended to cover the universe and as that universe expands, it looks less and less adequate.”
HIPAA allows individuals and organizations who do business on behalf of a medical provider to handle patient records under what’s known as a business associates agreement. Those entities have to follow certain rules for handling patient data, such as safeguarding the data against misuse or unauthorized disclosure. (HIPAA requires them to abide by those rules even if they haven’t signed an agreement, provided they’re receiving personal health information from a health-care provider.)
Historically, Ms. McGraw says, companies signing these agreements tended to specialize in health care. Tens of thousands of businesses, ranging from large medical-records vendors to small companies that transcribe doctors’ notes, have signed these agreements.
“The line between what’s a health institution and what’s not a health institution has gotten blurrier,” says John Wilbanks, chief commons officer at the health-tech nonprofit Sage Bionetworks and an expert on data sharing. “When the business associates agreement architecture was created, it was because the idea was these would be associates of the health system, not that they would be a giant advertising system that could help with your health system because they were also good at math.”
Consumer-facing companies such as Apple and Facebook don’t always have to sign these agreements because HIPAA doesn’t apply when personal information is shared by the patient. Both companies are exploring ways for patients to better manage their own care and health information.
Apple, for instance created an encrypted connection that allows health providers to transmit health information at a patient’s request to an iPhone. The company says it doesn’t receive or have access to the records, and that it hasn’t signed any business associate agreements.
Facebook recently launched a preventative health tool allowing users to do things like set reminders for check-ups or tests they need completed. A spokeswoman says the company is not receiving or transmitting protected health information for or on behalf of a covered entity or business associate.
“This was like the bomb going off because it’s Google,” says Ms. McGraw, whose company makes a tool for consumers to consolidate and share their medical records. “People know that Google collects a lot of data about us: has it, monetizes it, does pretty much what it wants to with it and has a track record on privacy that is less than stellar.”
‘Reducing costs and saving lives’
Google plans to use the Ascension data to train its artificial intelligence and develop software that could eventually make suggestions for patient care, according to my colleague Rob Copeland’s reporting. Google Cloud President Tariq Shaukat said the company’s health-care goal is “ultimately improving outcomes, reducing costs and saving lives.”
Insights from machine learning are already being used by doctors to improve care in hospitals. Stanford University’s Center for Biomedical Informatics Research has access to the anonymized health information of 200 million patients from Stanford’s hospital system and other outside sources.
SHARE YOUR THOUGHTS
How can personal health information be protected on the internet? Join the conversation below.
Algorithms trained on the data have been able to predict things like which patients are likely to die within three to 12 months, so providers can better time discussions of palliative care. Doctors can also use data to compare one patient to a pool of similar patients. If a patient’s blood work shows some elevated levels, a doctor can compare it to a larger population and determine whether it’s worth increasing checkups and checking for cancer.
Nigam Shah, associate director of the Stanford center, views sharing health data as a moral obligation (the lab allows outside companies to access its data for research purposes. Stanford researchers separately have partnered with Apple on a heart study).
“Unless we as a society get comfortable with sharing and analyzing medical data, we’re not going to benefit from the presumed benefits,” he says. “If we want that promised land, we have to share data. The challenge is to figure out how to do so in a safe way, and the current regulations and law are not sufficient.”
Companies like Google have the talent and the means to do patient risk assessment and recommend appropriate courses of action at a massive scale, Dr. Shah says.
Google’s algorithms have already helped to identify people at risk of acute kidney injury days before they’re even showing symptoms, according to a presentation by Google’s health head, David Feinberg.
HIPAA safeguards our data when it’s within our health care system and moving between providers and their associates. But its protections are narrow: We don’t get to decide who providers decide to work with, and we have no say in what happens to our health data once our personally identifiable information has been removed—a process known as “de-identification.”
De-identifying the data
The Department of Health and Human Services lays out what constitutes appropriate de-identification. If you remove certain personally identifiable information from health data, the idea is that you shouldn’t in theory be able to re-identify someone.
Ms. McGraw says it’s quite common for these agreements with health providers to allow the outside company to remove personally identifiable information from the data. Once it’s “de-identified,” she says, it’s no longer subject to HIPAA and the company can do what it wants with it.
Nicolas Terry, executive director of the Hall Center for Law and Health at Indiana University, says big technology firms wouldn’t have much trouble hashing and anonymizing patient data and then triangulating that with existing user information. Google says its agreement with Ascension does not allow de-identification.
There’s also the question of whether Google’s agreement allows it to improve its product with whatever insights it learns from the Ascension data—and then monetize it.
“If it’s just for Ascension, I don’t think this is that big of a deal but if it’s something they’re going to reuse to sell to other systems, then the details get pretty important,” says Mr. Wilbanks of Sage Bionetworks.
The company has said it will only be using the Ascension data for its work with Ascension, that the data will be siloed, that it won’t be combined with other consumer information or used for advertising purposes. When asked if the data could still be used to improve Google’s AI, a spokeswoman pointed to the blog post and declined to comment further.
An Amazon spokeswoman says that Amazon Web Services does not use personal health information to develop or improve its services.
‘Transparency is key’
Mr. Wilbanks, with Sage Bionetworks, says Google will be in a good position to start selling actuarial tables to insurance companies—like predictions on when a white male in his 40s with certain characteristics might be likely to get sick and expensive.
When it comes to life and disability insurance, antidiscrimination laws are weak, he says. “That’s what creates the risk of having one entity having a really godlike view of you as a person that can use it against you in ways you wouldn’t even know.”
That’s not a surprise, given how opaque the data-sharing industry has been to date. Earlier this year, I downloaded the What to Expect pregnancy app to see if Facebook would show me maternity ads. Sure enough, one popped up in my Instagram feed, thus ensuing a wild goose chase to try and figure out why I saw the ad.
It’s hard to imagine a scenario in which consumers have the ability to find out exactly how their health data is being used—especially if Google, in signing a business associate agreement and adhering to HIPAA, was under no obligation to tell patients or doctors that it was analyzing their health records.
Dr. Shah says there’s currently a lot of secrecy surrounding the agreements between companies and medical partners and that nondisclosure agreements are common. “Transparency is key,” he says. “Right now the tendency of tech companies to do everything in secret will set the whole field back.”
—Tripp Mickle contributed to this column.
Corrections & Amplifications
Nicolas Terry is the executive director of the Hall Center for Law and Health at Indiana University. An earlier version of this article incorrectly stated the school was University of Indiana. (Nov. 22, 2019)
Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8