If entering into a BAA under HIPAA for work involving PHI is “harvest”, and you're worried that this reaches “millions” for Google, you probably don't want to think about the deals public and private firms in the healthcare and health insurance/payments space have with Amazon and Microsoft.<p>From the news article (I don't have time to review the source leak indepently) there doesn't seem to be anything really concerning here. The closest to an indication of anything wrong seems to be that someone raised an issue about the risk of improper employee use of data and a need for training around that in an internal meeting on the project and has not received a formal specific response on that issue from corporate leadership. Having spent a long time in HIPAA-related work, that neither that issue being raised in regard to a new project or the fact that it was raised being merely one of many inputs into a policy generating process that makes general adjustments considering a wide range of concerns, legal parameters, and other issues but not receiving a specific direct response seems...pretty typical. And HIPAA does not require notification or opt-in (or even opt-out opportunity) for data sharing between a covered entityand Business Associate, as BA’s are (while under HITECH independently subject to HIPAA privacy and security rules) basically considered institutional agents of the covered entity to which the covered entity’s authority to have and use data is delegated under the Business Associate agreement.<p>I don't know if there is really nothing of concern in the dump or the journalists covering it don't have enough understanding of the domain to even distinguish things that would indicate a problem, but what it looks like from the news article is a “whistleblower” making accusations and dumping docs, but nothing substantial and concrete in the docs supporting the thrust of the “whistleblower’s” accusations of wrongdoing.
Googler here, my opinions are my own, standard disclaimer.<p>I'm not going to comment on this specific case but I do have almost a decade of previous non-Google experience working in clinical documentation technology.<p>As others have said, entering into a BAA with a covered entity, as HIPAA defines it, shouldn't be seen as a controversial action.<p>There are numerous problems in healthcare that are too complex for individual health systems to tackle. For example:<p>* Population Health: are there emergent changes in the regional population? What do you do about it?
* Continuity of Care: The number of individual providers involved in a particular person's care continues to grow. How can you effectively inform the entire team--across health systems--what's most important for an individual now? How do you make sure nobody drops the ball?<p>To give you an idea of the scale, I have two examples. The first is MD Anderson Cancer Center in Houston. They used to have 200+ engineers working on their sophisticated home-grown EMR. It was a huge undertaking. But even with MDACC revenue, that development was unsustainable, and they moved to a 3rd party EMR vendor.<p>Second is the Mayo Health System. Another huge provider with facilities not just in flagship Rochester MN, but in several other sites. Again, there were realities that even at this scale internal development isn't sustainable across the board and they wound up with a $100M+ adoption of a 3rd party vendor.<p>And this is mostly straight-forward CRUD-level workflows. The technology is straightforward but the workflow expertise is not.<p>Now, try and solve some bigger problems. You're going to need help to do this at scale, and trying to solve it necessarily means giving access--not control of!--to medical records to drive R&D. It's happening right now, and Google is not the only player doing this at scale. They're not even the largest one.<p>Lastly HIPAA controls have real teeth, in comparison to the general consumer space (at least in the US).
What is actually happening here? A lot of rhetoric about the "Transfer of data" etc, but other times this just reads like a Google Cloud Infrastructure play, with some consulting on top.<p>Also - The deal was only just signed, e.g. the transfer hasn't happened yet?<p>There's a lot of hearsay in all of this reporting...
How is this not a criminal breach of HIPAA laws?<p><a href="https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html" rel="nofollow">https://www.hhs.gov/hipaa/for-individuals/guidance-materials...</a>
> Google could go on to use its AI analytics to predict outcomes for individual patients, they posited.<p>This is the most scary part[0]. I'm sure plenty here would disagree, but I simply don't (yet) share your optimism for A.I.<p>[0] Not that the rest isn't scary.
Any google employees/friends of google employees here with insight as how staff is receiving this news? My guess is like all other egregious abuses of power, the employees will stage a "protest" to feel good about themselves then keep working there.
>The disclosed documents include highly confidential outlines of Project Nightingale, laying out the four stages or “pillars” of the <i>secret project</i>.<p>> Among the documents are the notes of a private meeting held by Ascension <i>operatives</i> involved in Project Nightingale.<p>The whole article is written like they are trying to tell a spy story which brings into question the credibility that there's any wrong doing.
I fear all of this will be used as part of a prediction program to find the best employees based on performance metrics. Imagine if before you even gave an applicant a callback you could see if they've ever had a bout of depression, insomnia, anything that may affect their job performance or the performance of their team. That would be standard part of any background check if that information was available.
Where is the Guardian's report on this - <a href="https://www.dailymail.co.uk/health/article-7588337/Google-gets-green-light-access-FIVE-YEARS-worth-sensitive-patient-data-NHS-trust.html" rel="nofollow">https://www.dailymail.co.uk/health/article-7588337/Google-ge...</a><p>As a UK based paper Guardian could at least focus on British issues
I know I'm very much in the minority here, but just like we should have more open borders and more open software, we should encourage more openness around medical data.<p>Google and other large companies have made some significant AI advances in the last decade & I think it's in all of our interests to see if these advances can lead to improvements in health care.<p>Yes, it's scary how much data these companies have collected about us, but there are other things in the world which are even more scary, like heart attacks and cancer. I think we need to stop having an automatic knee-jerk reaction every time a company gets access to our data, especially if proper legal protocols with privacy protections are being followed, as it appears to be in this case.<p>Of course, I would love to live in a world with 100% perfect personal privacy AND perfect treatments for all diseases, but we don't live in that world: In our world, as we move forward, there are going to be difficult tradeoffs between health innovation and patient data access: We should try to navigate these tradeoffs in a level-headed way, without just insisting on greater walls around all data in every instance.