Google has been venturing into new areas of business and recently made huge news when it got access to the health records of millions of Americans through a partnership with the Ascension hospital network.

Both companies insist their goal is to provide better care to patients, but the program, code-named Nightingale, is already creating major privacy concerns. Just 48 hours after it was announced, federal regulators from the Department of Health and Human Services announced an investigation into whether the partnership violates HIPPA, the Health Insurance Portability and Accountability Act.

On this episode of the Reset podcast, Christina Farr, a tech and health reporter for CNBC, tells host Arielle Duhaime-Ross that this type of initiative isnt exactly new for Google.

Google has this history of walking into a new sector and and saying, Lets suck up as much data as we can, and well just use our engineering prowess to figure out what products and tools that we can build off the back of this data. And it seems like theyre going into health care with a similar intention.

So, what does this mean for the Americans whose health records were accessed by Google?

The first thing to know is that when it comes to medical records, its not always clear who owns the data, says Nicholas Tatonetti, assistant professor of biomedical informatics at Columbia University.

It is often generally owned by the doctors, hospitals, and organizations that collect it. But it seems to be a patchwork of regulations and frameworks, which is why its valuable for these large efforts to bring data together.

For many Americans, that can be worrisome. But its important to know that the Google deal is actually routine. Its part of a how a lot of medical research is conducted today.

Using an example from his own research in which his team used similar types of databases to discover that two common drugs, an antibiotic and a heartburn medication, can lead to potentially dangerous heart arrhythmias when taken together Tatonetti says that everything Googles done so far was perfectly above board. But there is still room for improvement.

There is a feeling in the air about who has access to our data, how private [is it], and when is it being shared? When we are left out of that process, it feels a little like were being taken advantage of, even if its legal. And even if they are appropriately protecting our data, Im disappointed in these types of announcements [because] there isnt an engagement of the patient population in order to bring them into this process, especially when it comes to a giant tech company that has the type of position and an ability to interact and reach billions of people.

Still wondering how we should think about what Google is doing with these data and whether theres a way to avoid all of the mistrust? Listen to the entire conversation here.

Below, weve also shared a lightly edited transcript of Farrs conversation with Duhaime-Ross.

You can subscribe to Reset on Apple Podcasts, Stitcher, or Spotify.

This blew up because of various reports that some of this information was not anonymous that, in fact, it contained things about patients that you wouldnt necessarily want to share with a company like Google.

What kind of data was shared?

So the data that was shared was a bit of a mix. There were some cases where it was fully anonymized information, and that was simply to inform some of the analytics work that they were doing. In other cases, the companies came clean that they were sharing some personal health information which could have been potentially identifying. It could be all sorts of different things, including even just dates of service (when a patient went into the hospital).

We havent seen yet any clear evidence that patient names were shared in this process. But theres a reason to worry about Google having access to any identifying information, because if they combine that with any other data they have about us, anything could be identifiable.

We arent just talking about Google knowing peoples blood pressure, right? Were talking about Google knowing peoples HIV status or whether they have a mental health issue that requires medication.

Absolutely. The big fear here is that Google will start to learn more about our health conditions and [probably] already has quite a lot of that information.

Were sharing our health status with Google inadvertently all the time. And the idea that they could then touch our clinical records from when we go see our physicians at the hospital is just terrifying.

Adding to this is that Google has seen other issues with some of the health things that its done.

Only a few months ago, there was a lawsuit from a patient at the University of Chicago. And what came out is that Google was supposed to be making sure that information that was shared from the university to their servers was fully anonymous. But it turns out that some dates of service ... were actually shared with the company. So that led to a lawsuit.

Before that, there was a whole issue in the UK with DeepMind, one of their subsidiaries, having access to patient data.

This is all adding up to this picture that Google is not properly just managing this. I would like to see Google get out there and deny that and say, We would never target people based on their medical information, and just create some policies around this, and maybe even some public forums where people can ask questions of Google and get straight answers about how their health information is going to be used by the company.

What about Googles partner here? Why would they want to partner with a company like Google?

Ascension is a Catholic health system. They have lots of different hospitals and their own C suite that is looking for partnerships with tech companies, as are many other health systems. In the US, its quite common now to work with either one of the big three, whether its Microsoft, Amazon, or Google.

So, Ascension in theory would have wanted to have their brand associated with an innovative tech company like Google [be] very positive for them. I think they did see an opportunity to work with a big tech company on that and be viewed broadly as an innovative mover within the health care space.

What was Google trying to do with the data?

My sources have said that there were a few projects that were outlined with Ascension specifically. One of them was that they were looking to build a tool that could search through a medical record really easily. I also heard that they were looking at early detection of disease. So, for instance, if a patient is likely to have a condition called sepsis, which could lead to a fatal outcome, is there a way that they could look at these large-scale datasets and figure out whos most at risk and intervene earlier? And then once they had done that for something like sepsis, they could move on to other conditions.

Is it normal for a free company like Google to have access to this data, especially if its not anonymous?

These sorts of agreements are very common in the health care industry. Some folks in the wake of this news say that if these agreements didnt happen, health care would grind to a screeching halt. So we see these deals all the time. Typically it doesnt involve companies like Google, but it involves health care technology companies that you may be familiar with.

Optum, [for example], works with health systems regularly on large-scale data projects. And in these cases, they have to sign whats called a BAA (or business associate agreement), which allows for this data to be shared and can actually include some personally identifiable data.

Google is just latching on to a long history of these preexisting types of projects that we see every day but [that] rarely get reported on. When its Google, its a big deal. But when its not Google, people dont care quite as much.

It sounds like, because the name Google is tied to this, people are reacting really strongly.

Thats absolutely the case. This is standard practice. All sorts of health-privacy folks Ive spoken to have said these deals are routine now. I think there is still reason to criticize Google.

One piece where I would call them out is consent. There was no evidence here that Google did tell any of the patients or the physicians that they were doing this work. That only came out later, after the news exposing some of the details of the project. They could have chosen to do that. Did they have to? Maybe not. Some BAAs allow for this to be done without consent.

I hope that once the dust settles, we end up having much deeper discussions about what we expect when it comes to our health information, who should own it, who should access it, and in what circumstances should patients have the right to say no.

You alluded to a small number of Google employees who had access to this data.

Google hasnt disclosed yet exactly who those employees were, who had access to the data. They said that this small number of employees were closely monitored, implying that those employees were watched if they did have any access to the information.

At this point, we just have to trust them that those employees werent sharing this data or attempting to use it for any nefarious purpose, like selling the data, trying to use it for targeted advertising, or even just building tools off the back of Ascension datasets that they could try to sell down the line to other hospital systems.

We dont know that they did that. Google is asking a lot by just saying, Hey guys, a few people had access to this, but dont worry, we had it under control.

Its always fun when a large tech company like Google asks you to just trust them.

Exactly. As has been rightly pointed out, Google has been quite cavalier.

[The company] has this history of walking into a new sector and then saying, Lets suck up as much data as we can, and well just use our engineering prowess to figure out what products and tools that we can build off the back of this data. And it seems like theyre going into health care with a similar intention.

On the one hand, it could be a good thing, because this work does need to be done in health care and these large-scale analytics projects can be really important.

But on the other hand, you know, Google just hasnt instilled the public with a lot of confidence that theyre going to approach this with all the protections and the controls and just fundamentally do it in the right way.

To hear the potential positive aspects of Googles partnership with Ascension and its access to massive amounts of medical records, listen to the full episode and subscribe to Reset on Apple Podcasts, Stitcher, Spotify, or wherever you listen to podcasts.

The rest is here:

Googles Ascension deal gave the company access to millions of medical records. Here are the pros and cons. - Vox.com