A whistleblower from Google leaked video footage revealing that the company’s project Nightingale has been collecting confidential medical records from an estimated nearly 50 million Americans. To obtain the medical records, Google partnered with the second-largest U.S. healthcare provider, Ascension. The medical records held by Ascension were protected under the Health Insurance Portability and Accountability Act (HIPAA), which requires covered entities to comply with privacy and security measures that are intended to protect a patient’s private health information. Generally, covered entities may only use a patient’s records for reasons permitted by HIPAA or with a patient’s authorization.
Neither Google nor Accession provided notice or obtained consent from patients or providers before the records were transferred. Purportedly, the data collected from the medical records would be used to enhance Google’s artificial intelligence capabilities and to strengthen its position as a leader of digital health, which are two areas that Google has previously expressed interest in. Google’s partnership with Accession is the largest known transfer of medical records, but these data sharing arrangements are not isolated. Google has also partnered with other smaller health providers to obtain similar medical record transfers. Additionally, Google has shown interest in non-HIPAA covered entities as well. Notably, Google’s parent company has expressed interest in entering the wearables market by purchasing Fitbit.
The recurrence of recent health information privacy and security breaches has prompted Congress to call for stronger security requirements and increased enforcement of current laws and regulations. The Senate Cybersecurity Caucus has accused the Department of Health and Human Services (HHS) of not doing enough to protect patients. The American Hospital Association has also called for the modernization of HIPAA. To address changes in the industry, HHS has been exploring measures to impose stricter privacy and security standards on companies not covered by HIPAA that hold health-related data