Google’s hospital data-sharing deal raises privacy fears — here’s what’s really going on

Google has waded into a privacy flap over a partnership with Ascension, a major U.S. hospital network, to collaborate on tools make sense of information about patients and help doctors search the medical record. 

The deal was first disclosed by a Wall Street Journal piece, which explained that 150 Google employees already have access to data on tens of millions of patients without their knowledge or consent. 

However, it’s not clear that the deal represents a major privacy risk. According to six people familiar with the scope of the agreement and an internal Ascension email seen by CNBC, the two companies signed an industry-standard agreement that allows the hospital to share protected health information with Google as long as this information is used only for treating patients. These people asked for anonymity because they were not authorized to discuss the deal with press. The email also notes that the deal was part of a larger agreement between the companies that included Ascension’s use of Google’s G Suite set of productivity tools, which competes with Microsoft Office 365.

At the same time, one person familiar said some Ascension employees were concerned that some tools that Google is using to import and export data were not compliant with the HIPAA privacy standards, and that concerned employees did not receive satisfactory answers from Google on this front. Google did not comment on these particular complaints, but noted that it has a wide variety of Google Cloud products that enable HIPAA compliance, including some of the products mentioned by the concerned employees.

The flap comes as Google makes aggressive strides into the $3.5 trillion health sector, recently agreeing to acquire fitness tracker company Fitbit and announcing a deal with Mayo Clinic. The medical industry is notoriously sensitive when it comes to privacy and security, and Google faces an uphill battle to prove that it can be trusted when it makes the bulk of its money through advertising, which relies on extensive use of customer data.

Several of the people said the project came together after Ascension spent millions of dollars on a data warehouse project that pulls together clinical information across its patient population.

Ascension and Google started their discussions about eight months ago on a set of so-called population health and analytics software to analyze health information in aggregate, and they referred to the broader scope of the work under the code name “Nightingale.”

On the Google side, the goal was to develop tools to make it easier for doctors to pull up a specific patient data in a medical record. David Feinberg, Google Health’s vice president, referred to this capability in vague terms at a recent industry conference. The tool, according to a source familiar and screenshots viewed by CNBC, makes it easier for a doctor to look up a specific patient to look at recent test results, medications and more. 

A Google spokesperson confirmed that it is developing tools “that they could use to help doctors and nurses improve patient care” but did not share further information.

These sorts of large-scale analytics projects are typically associated with health data companies like Optum, which is owned by United Healthcare, as well as the large electronic health record vendors, like Epic Systems. But as tech companies like Google look for ways into the health care business, they are likely to become more common participants in such deals.

Three of the people said that the two organizations signed a business associate agreement (BAA) as part of their discussions, which allows for some protected health information to be transferred from a health system to a business partner.

These agreements are designed to ensure that personal health information is provided in a secure manner, and are common in the industry. As Lucia Savage, a privacy expert for health-tech company Omada Health, points out, these kinds of agreements would typically limit the scope of what Google can do. The business partner — in this case Google — typically cannot convert the data to serve its own commercial purposes and it cannot sell the data under these agreements.

An email from Ascension to employees discussing the deal characterized the tools as being in “early testing” and “not in active clinical deployment.” The email confirmed that the two companies signed a BAA, and said “Ascension’s data cannot be used by Google for any other purpose for provisioning these tools by Ascension clinicians, and patient data cannot be combined with Google consumer data.”

According to two of the people, Ascension specifically brought on a compliance officer to sit in on all of their meetings with Google to make sure the data was shared appropriately.

Despite all these assurances, an employee with knowledge of the project said that some Ascension employees had concerns about some of the tools that Google has used to export and import data, which they said aren’t fully compliant under HIPAA, the set of rules that govern how health information is transferred and shared. The tools at issue include Data Studio, Big Query and Data Lab, according to materials seen by CNBC. This person said the concerns were not fully addressed by either company.

“When we’ve asked Google for answers and we get delayed response or no response at all,” the person said. “There’s a constant push from the top to get it out quickly.”

In response to a query from CNBC, Google declined to discuss the specifics of this partnership, but pointed to a list of HIPAA-compliant cloud products, including Big Query and AI DataLab. 

Google has signed several other major cloud deals in the past, including with the Mayo Clinic and University of Chicago.

But earlier this year, a patient sued Google and the University of Chicago after claiming that the companies did not strip out date stamps or doctor’s notes buried within hundreds of thousands of patient medical records, and that could be used to identify a patient. “The University and the Medical Center will vigorously defend this action in court,” a spokesperson said in a statement at the time.

Google also faced privacy problems in the U.K. in 2017 when its DeepMind artificial intelligence project used data from patients in a way that “failed to comply with data protection law,” according to a U.K. government watchdog.  

Follow @CNBCtech on Twitter for the latest tech industry news.