A recent agreement between Google and Ascension, a huge national health system, is yet another sign of how the digital revolution is transforming health care. We are at the dawn of a new era in which clinicians will be able to apply in real-time the collective human experience in treating any particular problem to the care of every patient with that condition.
But the critical reactions to the agreement — under which Ascension will send to the Google cloud the clinical data it collects on its 50 million patients, and Google will process that data to help Ascension better manage its patients and its finances — make it clear that changes of this magnitude are never smooth. The announcement generated concerns about patient privacy and the misuse of information for the private gain of third parties. It triggered an investigation by the U.S. Department of Health and Human Services and calls from members of Congress for further inquiries. We are obviously at the beginning of what will likely be a long, contentious and vital debate over how to manage personal health information in the digital age.
Patients have an undeniable right to privacy and control over their personal health data. Doctors and hospitals need leeway to use patient information in their care. Patients, health professionals and the larger society have an interest in learning from our collective experience with care to better prevent and treat disease. And tech entrepreneurs want a return on their capital when they add value to the management of health care data. The coming debate will be about how to manage these sometimes conflicting interests as health information technology revolutionizes our health care system.
Here are the fundamentals underlying the Ascension-Google relationship: Ascension sits on the troves of data accumulated from caring for millions of patients who pass through its facilities. That data used to be locked away in paper records. With the near-universal adoption of electronic health records over the past decade, it can now flow instantly to wherever it’s useful, provided that patients’ privacy is protected.
This has several immediate benefits for patients. Their personal histories are always accessible when they get care at Ascension (and possibly elsewhere). Ascension’s doctors and nurses can potentially learn from the experience of all Ascension’s patients with similar conditions as they care for any individual patient. And by applying search technologies and artificial intelligence, Ascension may also be able in real-time to mobilize lessons of the entire scientific literature to bring to bear on individual patients. That literature is so enormous that even the most experienced clinicians have difficulty keeping up with it. Ascension’s experience may also inform medical research more broadly.
The challenge is that accomplishing these innovative uses of electronic data requires a range of informatics, analytics and research skills that most health systems don’t possess. That’s where Google comes in. It has IT skills that Ascension can never hope to equal. And Google has been gobbling up nationally renowned clinician leaders and researchers to create a deep bench in health care informatics and research.
In this, Google is not alone. IBM Watson has been in this field for some time. Amazon and Apple seem to be following suit. And there are a flock of startups eager to add value to health care by mining patient data. When health care, which accounts for 18% of the U.S. economy, suddenly enters the digital age, the business opportunities are huge. Google is reportedly not charging Ascension for its services, but future customers are unlikely to be so fortunate.
The legalities, of course, cannot be set aside for long. The Google-Ascension deal will likely expose the personal health information of millions of Ascension patients to Google employees. Doesn’t this violate the Health Insurance
Portability and Accountability Act of 1996?
Health care providers routinely cite HIPAA as a tough, no-nonsense statute that severely inhibits their ability to share patients’ information with each other and even with patients themselves and their families. Despite its reputation, HIPAA is full of holes, and lawyers for Google and Ascension likely found ample room in the law to support their agreement. For one thing, health care providers who are regulated under HIPAA, so-called covered entities, may share personal health information without patient consent for three main purposes: treatment, payment and operations.
Treatment means that clinicians can discuss their patients with other treating clinicians without getting patients’ consent each time. Payment means providers can use personal health information to get paid by insurers. And operations means that providers can use personal health information to address the critical operational needs of their organizations, including improving the quality and safety of their care. When a covered entity uses a third party to fulfill any of these purposes, that outside entity becomes a so-called business associate, and must conform to HIPAA regulations as well.
The data management activities that Google will undertake for Ascension may very well qualify as meeting Ascension’s operational needs to improve the quality of its care, and Google could, in that capacity, serve as a business associate. Under this interpretation, the sharing of patient data without patient consent could be legal under HIPAA. The U.S. Department of Health and Human Services, which enforces the HIPAA statute, is examining the relationship.
However, even if the relationship turns out to be legal, it raises significant issues. The lawmakers who created HIPAA never anticipated the internet, IT behemoths like Google and Apple or the skill of hackers. It is one thing to share a dusty old paper record with an outside entity. It is quite another to send electronic versions off into the cloud where — despite a third party’s best efforts — it might be hacked from anywhere on earth. HIPAA is likely no longer sufficient to reassure patients that their electronic health data is adequately protected.
Another question surrounds rights to commercial benefits likely to flow from collaborations between health care organizations and IT companies. These agreements will surely produce a bounty of intellectual property that will be profitably sold without patient information (think algorithms and software) to other health care providers and even to other businesses that develop and market health care products (think pharmaceutical and device companies and health plans). But these profits will be derived from the personal health information of millions of patients. Should they be given the opportunity to consent to these business uses of their data? Should they share in some small way in the gains?
These and other questions will have to be addressed to realize the individual and societal benefits of the health information revolution.
David Blumenthal is president of the Commonwealth Fund
