Tech giant Google continues to face Congressional scrutiny about its collection and use of sensitive health data in a project with Ascension.
Rep. Pramila Jayapal, D-Wash., sent a letter last week to Google CEO Sundar Pichai, former Alphabet CEO Larry Page and Google Cloud senior official Tariq Shaukat pressing for answers on how the companies use the health data they collect and the procedures they have in place to protect that data.
News broke in November about a health data partnership between Google and Ascension Health, sparking potential privacy concerns. The Wall Street Journal reported Google was collecting personal health information on millions of Americans as part of a partnership with Ascension, one of the largest Catholic health systems in the U.S.
In a blog post released hours after the news broke, Google said the partnership is aimed at supporting the health system "with technology that helps them to deliver better care to patients across the United States."
The partnership will modernize Ascension’s infrastructure, Google executives said. The tech company has a "Business Associate Agreement (BAA)" with Ascension, which governs access to protected health information to help providers support patient care. All of Google's work with Ascension adheres to industrywide regulations, including HIPAA, Google executives wrote.
Jayapal and other lawmakers want more details on the partnership and Google's increasing access to sensitive data. Google and Alphabet have engaged in multiple acquisitions and expansions that significantly expand the companies’ access to data, Jayapal wrote in the letter.
"Through Project Nightingale, your companies are likely to acquire over 50 million patient records and gain access to patient data from over 2,600 health care facilities," she wrote.
The House Democrat noted that Google and Alphabet "have engaged in an ever-widening acquisition of the highly personal health-related information of millions of people, Americans now face the prospect of having their sensitive health information handled by corporations who may misuse it."
"I am especially concerned that your company has not provided sufficient assurances that this sensitive data will be kept safe, and that patients’ data is being acquired by your companies without their consent and without any opt-out provision," she wrote.
Jayapal said she is concerned that Google's revenue model, which relies on behavioral online advertising, "creates an incentive to commoditize all user information" and "renders the company’s expansion into health services all the more troubling.”
“People’s lives, bodies, and healthcare are precious and merit extreme sensitivity. When people seek medical advice or track their healthcare, they expect privacy,” Jayapal wrote.
She also noted that Google's planned acquisition of wearables company Fitbit will give the tech giant access to the health-related data of 25 million people. And she cited other data projects, including Medical Brain, Google's health-focused artificial intelligence unit, which is also actively acquiring access to patient data, Jayapal said.
Alphabet recently announced a partnership with the Mayo Clinic. In the UK, Google acquired DeepMind, an AI startup, and later transferred DeepMind’s UK healthcare data processing contracts over to Google.
"On a recent investor call, Mr. Pichai also told investors, 'Health is a vertical…in which we have a whole Google Health team focused on understanding the in-depth experience that would give a better experience overall on Search,'" Jayapal wrote in the letter.
"There have been multiple incidents that cause me to have serious concerns about Google and Alphabet, Inc.’s ability to properly safeguard sensitive health and medical information," Jayapal said, citing a whistleblower's concerns, as reported by The Guardian, that personally identifiable healthcare data was being haphazardly transferred to Google without proper safeguards and security in place.
The lawmaker asked Google and Alphabet officials to provide more information on what type of confidential health data Google collects, how the company plans to protect this data against cyberattacks, and whether Alphabet would commit to creating an “opt-in regime” in which the tech company would have to get users consent before accessing their health or medical data.
Jayapal requested answers by Jan. 5.
Several other Congressional Democrats have publicly raised concerns about the Google-Ascension deal. House Energy and Commerce Committee Chairman Rep. Frank Pallone, D-N.J. as well as Reps. Anna Eshoo, D-Calif., Diana DeGette, D-Colo., and Jan Schakowsky, D-Ill., wrote letters to the company CEOs requesting briefings and more information on the data deal.
Google's partnership with Ascension also is the subject of a federal inquiry. The Office for Civil Rights in the Department of Health and Human Services “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” the office’s director, Roger Severino, said in November, according to The Wall Street Journal.