Project Nightingale

Last updated

Project Nightingale is a data storage and processing project by Google Cloud and Ascension, a Catholic health care system comprising a chain of 2,600 hospitals, doctors' offices and other related facilities, in 21 states, with tens of millions of patient records available for processing health care data. Ascension is one of the largest health-care systems in the United States with comprehensive and specific health care information of millions who are part of its system. The project is Google's attempt to gain a foothold into the healthcare industry on a large scale. [1] Amazon, Microsoft and Apple Inc. are also actively advancing into health care, but none of their business arrangements are equal in scope to Project Nightingale. [1] [2] [3]

Contents

History

In early 2019, Ascension began talks with Google about developing health aggregation software to store and search medical records. The two companies signed a Health Insurance Portability and Accountability Act (HIPAA) business associate agreement, which would allow Ascension to transfer patient data to Google Cloud, and would bar Google from using this data for purposes other than providing services to Ascension. [4] Google first mentioned its project with Ascension in a July 2019 earnings call, which said the partnership was meant to "improve the healthcare experience and outcomes." [5]

The Wall Street Journal first reported on "Project Nightingale" on November 11, 2019, writing that doctors and patients had not been notified of the project and that 150 Google employees had access to patient data. [1] [2] [6] Google Health chief David Feinberg responded to the report in a blog post, saying all employees with access to protected health information went through medical ethics training and were approved by Ascension. [7]

The project raised privacy fears because of Google's involvement in other privacy controversies, like DeepMind's medical data-sharing controversy and a lawsuit against Google and the University of Chicago Medical Center for allegedly processing identifying medical records. [1] [4] Google Cloud executive Tariq Shaukat wrote that patient data gathered from the project "cannot and will not be combined with any Google consumer data." [8]

Types of data

The data sharing includes patient names and their dates of birth, along with doctor diagnoses, lab results, and hospitalization records, amounting to access to complete electronic health records. Also included in the data sharing are addresses of the patient, family members, allergies, immunizations, radiology scans, medications, and medical conditions. After the patient checks in to the doctor's office, or hospital, or senior center - the doctor and nurse examination results are entered into a computer and uploaded to Google's cloud servers. At this point, the system is then used to suggest treatment plans, recommend replacement or removal of a doctor from the patient's health-care team, and administer policies on narcotics. Ascension, the company sharing data with Google, may also vary their billing according to treatment or procedures. [1]

Investigations

Soon after The Wall Street Journal reported on Project Nightingale, The Guardian published an account from an anonymous whistleblower who worked on Project Nightingale. This person who raised concerns that patients could not opt in or out of having their records stored on Google's servers, and that the project may not be HIPAA compliant. [9] [10]

The United States Department of Health and Human Services (HHS) launched an inquiry into Google's partnership with Ascension. The investigation will be run by HHS' Office of Civil Rights. Director Roger Severino said, his office "would like to learn more information about this mass collection of individuals' medical records with respect to the implications for patient privacy under [the Health Insurance Portability and Accountability Act of 1996 or HIPAA]." [11]

See also

Related Research Articles

<span class="mw-page-title-main">Health informatics</span> Applications of information processing concepts and machinery in medicine

Health informatics is the field of science and engineering that aims at developing methods and technologies for the acquisition, processing, and study of patient data, which can come from different sources and modalities, such as electronic health records, diagnostic test results, medical scans. The health domain provides an extremely wide variety of problems that can be tackled using computational techniques.

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

<span class="mw-page-title-main">Health Insurance Portability and Accountability Act</span> United States federal law concerning health information

The Health Insurance Portability and Accountability Act of 1996 is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. With limited exceptions, it does not restrict patients from receiving information about themselves. It does not prohibit patients from voluntarily sharing their health information however they choose, nor does it require confidentiality where a patient discloses medical information to family members, friends, or other individuals not a part of a covered entity.

<span class="mw-page-title-main">Medical record</span> Medical term

The terms medical record, health record and medical chart are used somewhat interchangeably to describe the systematic documentation of a single patient's medical history and care across time within one particular health care provider's jurisdiction. A medical record includes a variety of types of "notes" entered over time by healthcare professionals, recording observations and administration of drugs and therapies, orders for the administration of drugs and therapies, test results, X-rays, reports, etc. The maintenance of complete and accurate medical records is a requirement of health care providers and is generally enforced as a licensing or certification prerequisite.

Health technology is defined by the World Health Organization as the "application of organized knowledge and skills in the form of devices, medicines, vaccines, procedures, and systems developed to solve a health problem and improve quality of lives". This includes pharmaceuticals, devices, procedures, and organizational systems used in the healthcare industry, as well as computer-supported information systems. In the United States, these technologies involve standardized physical objects, as well as traditional and designed social means and methods to treat or care for patients.

Health information exchange (HIE) is the mobilization of health care information electronically across organizations within a region, community or hospital system. Participants in data exchange are called in the aggregate Health Information Networks (HIN). In practice, the term HIE may also refer to the health information organization (HIO) that facilitates the exchange.

<span class="mw-page-title-main">Google Health</span> Division of Google

Google Health was a project by Google designed as an attempt to create a repository of health records and data in order to connect doctors, hospitals and pharmacies directly. The project was introduced in 2008 and discontinued in 2012. Google Health was restarted in 2018 but appeared to be discontinued in 2021 and was officially called an "effort" rather than a separate division as of 2022.

A National Provider Identifier (NPI) is a unique 10-digit identification number issued to health care providers in the United States by the Centers for Medicare and Medicaid Services (CMS). The NPI has replaced the Unique Physician Identification Number (UPIN) as the required identifier for Medicare services, and is used by other payers, including commercial healthcare insurers. The transition to the NPI was mandated as part of the Administrative Simplifications portion of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Protected health information (PHI) under U.S. law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity, and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

Shasta Regional Medical Center, formerly known as Redding Medical Center and Memorial Hospital, is a general acute care hospital that is located in Redding, California. It opened in 1945 and currently has 226 beds with a basic emergency department.

The Health Information Technology for Economic and Clinical Health Act, abbreviated the HITECH Act, was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009. Under the HITECH Act, the United States Department of Health and Human Services resolved to spend $25.9 billion to promote and expand the adoption of health information technology. The Washington Post reported the inclusion of "as much as $36.5 billion in spending to create a nationwide network of electronic health records." At the time it was enacted, it was considered "the most important piece of health care legislation to be passed in the last 20 to 30 years" and the "foundation for health care reform."

The Fast Healthcare Interoperability Resources' standard is a set of rules and specifications for exchanging electronic health care data. It is designed to be flexible and adaptable, so that it can be used in a wide range of settings and with different health care information systems. The goal of FHIR is to enable the seamless and secure exchange of health care information, so that patients can receive the best possible care. The standard describes data formats and elements and an application programming interface (API) for exchanging electronic health records (EHR). The standard was created by the Health Level Seven International (HL7) health-care standards organization.

Digital health is a discipline that includes digital care programs, technologies with health, healthcare, living, and society to enhance the efficiency of healthcare delivery and to make medicine more personalized and precise. It uses information and communication technologies to facilitate understanding of health problems and challenges faced by people receiving medical treatment and social prescribing in more personalised and precise ways. The definitions of digital health and its remits overlap in many ways with those of health and medical informatics.

<span class="mw-page-title-main">Medical image sharing</span> Electronic exchange of medical images

Medical image sharing is the electronic exchange of medical images between hospitals, physicians and patients. Rather than using traditional media, such as a CD or DVD, and either shipping it out or having patients carry it with them, technology now allows for the sharing of these images using the cloud. The primary format for images is DICOM. Typically, non-image data such as reports may be attached in standard formats like PDF during the sending process. Additionally, there are standards in the industry, such as IHE Cross Enterprise Document Sharing for Imaging (XDS-I), for managing the sharing of documents between healthcare enterprises. A typical architecture involved in setup is a locally installed server, which sits behind the firewall, allowing secure transmissions with outside facilities. In 2009, the Radiological Society of North America launched the "Image Share" project, with the goal of giving patients control of their imaging histories by allowing them to manage these records as they would online banking or shopping.

A health care provider is an individual health professional or a health facility organization licensed to provide health care diagnosis and treatment services including medication, surgery and medical devices. Health care providers often receive payments for their services rendered from health insurance providers.

Health care analytics is the health care analysis activities that can be undertaken as a result of data collected from four areas within healthcare; claims and cost data, pharmaceutical and research and development (R&D) data, clinical data, and patient behavior and sentiment data (patient behaviors and preferences,. Health care analytics is a growing industry in the United States, expected to grow to more than $31 billion by 2022. The industry focuses on the areas of clinical analysis, financial analysis, supply chain analysis, as well as marketing, fraud and HR analysis.

Medical data, including patients' identity information, health status, disease diagnosis and treatment, and biogenetic information, not only involve patients' privacy but also have a special sensitivity and important value, which may bring physical and mental distress and property loss to patients and even negatively affect social stability and national security once leaked. However, the development and application of medical AI must rely on a large amount of medical data for algorithm training, and the larger and more diverse the amount of data, the more accurate the results of its analysis and prediction will be. However, the application of big data technologies such as data collection, analysis and processing, cloud storage, and information sharing has increased the risk of data leakage. In the United States, the rate of such breaches has increased over time, with 176 million records breached by the end of 2017. There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million individuals, and 10 breaches of the personal and protected health information of more than 1 million individuals.

HIE of One is a free software project developing tools for patients to manage their own health records. HIE stands for Health Information Exchange, an electronic network for sharing health information across different organizations, hospitals, providers, and patients. This is one of a growing number of tools for encrypted data exchange within the health care sphere.

Federal and state governments, insurance companies and other large medical institutions are heavily promoting the adoption of electronic health records. The US Congress included a formula of both incentives and penalties for EMR/EHR adoption versus continued use of paper records as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the, American Recovery and Reinvestment Act of 2009.

Ascension is one of the largest private healthcare systems in the United States, ranking second in the United States by number of hospitals as of 2019. It was founded as a nonprofit Catholic healthcare network in 1999. Ascension also runs a pharmacy system as well as delivery under AscensionRX.

References

  1. 1 2 3 4 5 Copeland, Rob. "Google's 'Project Nightingale' Gathers Personal Health Data on Millions of Americans". WSJ.
  2. 1 2 "Google Gathering Health Care Data on Millions of Americans with Secret 'Project Nightingale'". November 11, 2019.
  3. Singer, Natasha; Wakabayashi, Daisuke (November 11, 2019). "Google to Store and Analyze Millions of Health Records" via NYTimes.com.
  4. 1 2 Farr, Christina; Elias, Jennifer (November 12, 2019). "Google's hospital data-sharing deal raises privacy fears — here's what's really going on". CNBC. Retrieved December 9, 2019.
  5. Opiah, Abigail (November 12, 2019). "Google Cloud clears the air regarding patient data controversy following Ascension partnership". Data Economy. Retrieved December 9, 2019.
  6. Griggs, Mary Beth (November 11, 2019). "Google may be secretly gathering millions of personal health records with alleged 'Project Nightingale'". The Verge.
  7. Muchmore, Shannon (November 21, 2019). "Under fire, Google defends Ascension data sharing project". Healthcare Dive. Retrieved December 9, 2019.
  8. Lerman, Rachel (November 12, 2019). "Google's health care ambitions now involve patient data". Associated Press. Retrieved December 9, 2019.
  9. Pilkington, Ed (November 12, 2019). "Google's secret cache of medical data includes names and full details of millions – whistleblower". The Guardian. Retrieved December 9, 2019.
  10. Anonymous (November 14, 2019). "I'm the Google whistleblower. The medical data of millions of Americans is at risk". The Guardian. Retrieved December 9, 2019.
  11. Garcia, Ahiza (November 13, 2019). "Google's 'Project Nightingale' center of federal inquiry". CNN . Turner Broadcasting System . Retrieved November 14, 2019.