Project ‘Nightingale’, an agreement between Google and Ascension – the second largest health care system in the United States, reportedly allows Google to analyse detailed personal-health information of tens of millions of US patients. While formally it may be legal, there are many concerns regarding potential privacy issues.

What is the Nightingale project about

Ascension state that Google’s analysis could help clinicians predict patients’ needs and treat them accordingly. The advantages of unleashing Google’s huge computing power on medical data would make applications faster; data more accessible to doctors; and new channels could be opened that might in time find cures to certain conditions.

Project Nightingale is understood to be by far the largest data transfer of its kind so far in the healthcare field. By the time the transfer is completed next March, it will have passed the personal data of 50 million or more patients in 21 states to Google, with 10 million or so files having already been moved across – with no warning given to patients or doctors.

Data privacy concerns

Even if the uses of data aren’t illegal, as the companies claim, they cause major concerns. The whistleblower who leaked information about the deal was concerned that it was violating patient’s rights to informed consent and privacy. The data is supposed to be transferred with full personal details including name and medical history and can be accessed by Google staff. Unlike other similar efforts it has not been made anonymous though a process of removing personal information known as de-identification.

The use of health data in the United States is governed by a complicated patchwork of privacy regulations that isn’t often clear to patients. It is neither required nor is it a common practice for health care providers to obtain explicit and separate consent from patients to share data with non-health care contractors in the US. Most such agreements allow the contractor to use identifiable data only to aid the health care system’s internal operations. But many allow contractors to use anonymous data for their own purposes.

Google was not clear about the details of their agreement. Some people expressed serious concerns about the way patients’ personal health information will be used by Google to build new artificial intelligence and other tools. There are worries that in future Google might be able to sell or share the data with third parties, or create patient profiles against which they can advertise healthcare products.

Google agreements in healthcare area

This partnership isn’t the only one that raises privacy concerns. The Google/Ascension deal appears to be similar to many other business associate agreements that allow health system to share data with contractors that support their internal operations.

This is not the first time that Google has ended up in hot water over its efforts to become the dominant player in healthcare data and analytics. In 2017, the transfer of 1.6m patient records at the Royal Free hospital in London to the company’s artificial intelligence arm DeepMind Health was found to have an “inappropriate legal basis” by the UK’s watchdog on data.

The ambition of Google’s parent company Alphabet is to develop new AI tools that can help predict health patterns and improve treatment. Google recently announced plans to buy Fitbit for $2.1bn, aiming to enter the wearables market and invest in digital health.

Following the outbreak of the story in media, a federal inquiry has been launched into whether required data protections have been fully followed.

Video explaining the practice of using electronic health records