Letter to Alex Azar, Secretary for the Department of Health and Human Services - Klobuchar, Murkowski Urge Department of Health and Human Services to Examine the Collaboration between Google and Ascension Health System over Privacy Concerns
Letter
Dear Secretary Azar:
CC: Roger Severino
We write to raise concerns about recent reports detailing a collaboration between Google and Ascension health system that enables Google to collect the personal health information of roughly 50 million Americans--including personally identifiable information, lab results, hospital records, and physician diagnoses--without their consent. We encourage the Department of Health and Human Services (HHS) to examine this initiative--known as "Project Nightingale'--to ensure compliance with federal health privacy law and the protection of Americans' most personal and private health data.
According to the Wall Street Journal, neither Ascension patients nor physicians were informed of the agreement before the data sharing program began. Roughly 150 Google employees now have access to Ascension patients' personal health information, which allegedly includes identifiable patient data. While Google claims the data sharing agreement is permitted under the Health Insurance Portability and Accountability Act (HIPAA), the partnership raises significant questions concerning the safeguarding of private health data. Under HIPAA, covered entities like hospitals are allowed to share protected health information with "business associates" to "help the covered entity carry out its health care functions -- not for the business associate's independent use or purposes." However, Google has reportedly declined to comment on whether it would use this data for profit or to conduct independent research--both of which could potentially fall outside the scope of HIPAA protections.
Technology has undoubtedly made it easier for people to monitor and control their own health and health care decisions, but it has also given companies more access to personal and private health data with very few rules of the road in place to regulate data sharing, processing, and analysis between covered entities and non-covered entities. We have introduced legislation to strengthen privacy and security protections for consumers' personal health data by requiring the creation of meaningful health data privacy regulations for entities not currently regulated under HIPAA. In light of previous incidents that have highlighted the need for additional protections for user privacy on Google's platform, we are concerned that technological progress is once again taking precedence over adequately protecting Americans' sensitive information.
In an effort to ensure that "Project Nightingale' is in compliance with federal law and has adequate protections in place, we respectfully ask that HHS answer the following questions:
1.) Given that the Office for Civil Rights has reportedly announced plans to initiate an inquiry about "Project Nightingale,' what information has been requested from Google or Ascension concerning how each entity plans to ensure the protection and privacy of patient data?
2.) Has HHS learned whether Google ensured their employees with access to protected health information as part of "Project Nightingale' have received training on HIPAA compliance when handling such sensitive information?
3.) Is HHS aware of any efforts by Google to use the data that is being collected beyond providing tools for Ascension medical providers?
4.) Does HHS agree with the broad interpretation of HIPAA by which "Project Nightingale' is reportedly operating in that Google is permitted to receive personal health information without patient consent from Ascension as a "business associate"?
Thank you for your attention to this important health and privacy issue. We hope you will continue to work with Congress to ensure Americans' most private and sensitive data is adequately protected.
Sincerely,
Source