InsureBlog: It’s All About the Optics

Tuesday, November 26, 2019

It’s All About the Optics

Recently it came to light that Google and Ascension Health have entered into an agreement wherein Google has been given access to medical health data held by Ascension. It now appears that Congressional Leaders have requested information from Google on “Project Nightingale”. Google has until December 6 to respond to the four Democratic Leaders of Congress.

According to the Wall Street Journal report, at least 150 Google Employees have access to the data on tens of millions of patients. On the surface it looks bad, but let’s drill down on what is happening.

“Although the project is HIPAA-compliant, not all policymakers are sold on the deal.

"Despite the sensitivity of the information collected through Project Nightingale, reports indicate that employees across Google, including at its parent company, have access to, and the ability to download, the personal health information of Ascension's patients," the letter reads, according to CNBC.”

First, let’s look at who has control of the patient’s records. In America only one State (New Hampshire) stipulates in its laws that the patient owns information in the medical record. In all other States it either stipulates that the Provider (Hospital and/or Physician) owns the medical record or there is not such stipulation. In states where there is no stipulation in law, it is recognized that the Provider owns the information in the Medical Record. While the Medical Record is about a patient, it is created by the Provider and his/her staff.

Second, what a Provider can or cannot do with those medical records. If the Provider wants to let a third party, not the patient or insurance company, have access to the records, then the Provider and the Vendor sign a Business Associate Agreement (BAA). A BAA is designated as a HIPAA compliant way to ensure that Private Health Information (PHI) is protected by the Vendor.

“Once a covered entity has identified their applicable business associates, it is necessary to ensure that these third-parties will only use any provided PHI in a secure and established manner.

“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” HHS maintained on its website.”

Providers utilize Vendors for various tasks that revolve around the use of PHI. There are storage facilities for actual paper charts. There are vendors that create electronic communication that the Provider can send out to Patients reminding them of appointments or letting them know about a new service offered by that Provider. There are billing companies hired by Providers to handle their patient revenue. And, finally, there are companies like Google that do analysis on Patient Data for Quality Improvement.

Finally, since a BAA is a tool from HIPAA, all the guidelines of HIPAA apply to the vendor and to the vendor’s employees, so the information is secure.

“Although the project is HIPAA-compliant, not all policymakers are sold on the deal.

Finally, since a BAA is a tool from HIPAA, all the guidelines of HIPAA apply to the vendor and to the vendor’s employees, so the information is secure.