Senators are pressing Ascension for more details about its controversial data deal with Google.
The lawmakers—presidential candidate Elizabeth Warren (D-Mass.), Richard Blumenthal (D-Conn.), and Bill Cassidy (R-La.)—sent a letter (PDF) to Ascension President and CEO Joseph Impicciche Tuesday. The letter demands more information regarding the type and amount of information the health system has provided to Google, whether the health system provided advance notice to patients about the deal and whether patients can opt-out of data sharing.
The senators also want to know how many Google employees have access to patient records and how they get approved to gain access.
The tech giant's partnership with Ascension has sparked a federal inquiry and criticism from patients and lawmakers. The Office for Civil Rights (OCR) in the Department of Health and Human Service is investigating the partnership to ensure it complies with the Health Insurance Portability and Accessibility Act (HIPAA)
In the newly released letter (PDF), Google Health's David Feinberg defended the company's work with Ascension and told lawmakers that Google's access to health is limited to its business associate agreement (BAA) and data is protected by internal controls.
The December 6 letter was in response to an inquiry (PDF) initiated by Warren, Blumenthal, and Cassidy backed in November.
Feinberg said its partnership with Ascension, which was inked in August 2018, includes modernizing the health system's data infrastructure, which involves migrating data to the Google Cloud, and providing G Suite productivity tools to employees.
But controversy swirls around one key aspect of the partnership to pilot an EHR search tool that pulls patient electronic health records into an interface to help clinicians more easily find useful information.
The project, code-named “Project Nightingale," is aimed at crunching data to produce better health care, according to the Wall Street Journal, which first reported the deal.
Ascension, without notifying patients or doctors, has begun sharing with Google personally identifiable information on millions of patients, such as names and dates of birth; lab tests; doctor diagnoses; medication and hospitalization history; and some billing claims and other clinical records, the WSJ reported.
At issue for regulators and lawmakers who expressed concern is whether Google and Ascension are adequately protecting patient data in the initiative.
Google did not disclose in the letter how many patient records were involved in the project. That's a key detail that lawmakers are turning to Ascension to answer.
For the EHR search pilot, patient information from electronic medical records are migrated to Ascension’s secure Google cloud storage under a business associate agreement (BAA), and access to patient medical records is provided to designated Google employees for purposes of providing EHR search-related services to Ascension, Feinberg said.
Terms of the deal prevent it from combining data or using it for business aside from creating software for Ascension, he said.
The business associate agreement restricts Google from combining Ascension's patient data with individual search or location data, the company said. And the tech giant says it has not shared patient information with third parties and would need to ink a subcontractor contract to do so, under HIPAA rules.
Google developed and validated the health-related algorithms and machine learning models used in the EHR Search using synthetic data, de-identified data, or data obtained for research uses in accordance with Institutional Review Board approved protocols and waivers, according to the letter.
Google employees who can access patient data as part of the EHR search pilot program are individually approved by the health system, Feinberg said. Google also said that it is Ascension's responsibility to provide notice to patients of uses and retention of PHI by a technology vendor, per a business associate contract.
Lawmakers also are concerned about how well Google protects patient information and whether there are safeguards to prevent patient data from being identifiable.
The tech giant has administrative, technical and physical safeguards such as restricting access to data based on access rights and scanning for security threats, Feinberg said.
The company has custom-designed its servers, proprietary operating system and geographically distributed data center, creating an "IT infrastructure that is more secure and easier to manage than more traditional technologies," according to Feinberg.
In addition, patient data used in the EHR search pilot is accessible only in a strictly controlled environment that includes encrypting the data, audit trials to monitor who accesses it and a trail of the exact code of any software that ran against the data.