Rob Copeland and Sarah E. Needleman report:
Google’s project with the country’s second-largest health system to collect detailed health information on 50 million American patients sparked a federal inquiry and criticism from patients and lawmakers.
The data on patients of St. Louis-based Ascension were until recently scattered across 40 data centers in more than a dozen states. Google and the Catholic nonprofit are moving that data into Google’s cloud-computing system—with potentially big changes on tap for doctors and patients.
At issue for regulators and lawmakers who expressed concern is whether Google and Ascension are adequately protecting patient data in the initiative, which is code-named “Project Nightingale” and is aimed at crunching data to produce better health care, among other goals. Ascension, without notifying patients or doctors, has begun sharing with Google personally identifiable information on millions of patients, such as names and dates of birth; lab tests; doctor diagnoses; medication and hospitalization history; and some billing claims and other clinical records.
Read more on WSJ.
And this is exactly what happens when you have carve outs for sharing information without explicit notice and consent. FERPA has a carve-out that allows schools to share students’ personal information with third-party entities that they declare as “school officials” and now we see how an exception in HIPAA may have allowed a massive sharing without consent.
It is stunning to me that Ascension would have engaged in this data sharing without anticipating how the public might feel about this. I would feel betrayed by them and horrified.