Sundar Pichai, CEO of Google, speaks to the media before the opening of the Google Representation of Google in Berlin on January 22, 2019.
Carsten Koall | Getty Images News | Getty Images
Google has ventured into a privacy flap over a partnership with Ascension, a large US hospital network, to collaborate on tools that make sense of patient information and help doctors search the medical records.
The agreement was first revealed by a piece in the Wall Street Journal, which explained that 1[ads1]50 Google employees already have access to data on tens of millions of patients without their knowledge or consent.
However, it is not clear that the agreement represents a major privacy risk. According to six people familiar with the scope of the agreement and an internal Ascension email set by CNBC, the two companies signed an industry-standard agreement that allows the hospital to share protected health information with Google as long as this information is used only to treat patients. These people requested anonymity because they were not authorized to discuss the deal with the press. The email also notes that the agreement was part of a larger agreement between the companies that included Ascension's use of Google's G Suite set of productivity tools, which competes with Microsoft Office 365.
At the same time, a well-known person said some Ascension employees were concerned some tools Google uses to import and export data did not comply with HIPAA's privacy standards and that concerned employees did not receive satisfactory answers from Google on this front. Google did not comment on these particular complaints, but noted that it has a wide range of Google Cloud products that enable HIPAA to be complied with, including some of the products mentioned by the affected employees.
The flap comes as Google makes aggressive moves into the $ 3.5 trillion health sector, and recently agreed to acquire fitness tracker company Fitbit and announce a deal with the Mayo Clinic. The medical industry is notoriously sensitive in terms of privacy and security, and Google is facing an uphill battle to prove it can be trusted when it earns most of its money through advertising, which relies on widespread use of customer data.
How the agreement came together
Several people said that the project came together after Ascension spent millions of dollars on a data warehouse project that collects clinical information across the patient population.
Ascension and Google started their discussions about eight months ago on a set of so-called population health and analytics software to analyze health information collectively, referring to the broader scope of work under the code name "Nightingale."
On the Google page The goal was to develop tools to make it easier for doctors to pull up a specific patient data in a medical record. David Feinberg, Vice President of Google Health, mentioned this ability in vague terms at a recent industry conference. The tool, according to a well-known source and screenshots seen by CNBC, makes it easier for a physician to look up a specific patient to look at recent test results, medications and more.
A Google spokesperson confirmed that it is developing tools "that they could use to help doctors and nurses improve patient care," but did not share additional information.
These kinds of large-scale analysis projects are usually associated with health data companies such as Optum, owned by United Healthcare, as well as the major providers of electronic health records, such as Epic Systems. However, as technology companies like Google look for ways into the healthcare system, they are likely to become more frequent participants in such agreements.
Three of the individuals said that the two organizations signed a business association agreement (BAA) as part of their discussions, which allows some protected health information to be transferred from a health system to a business partner.
These agreements are designed to ensure that personal health information is provided securely, and is common in the industry. As Lucia Savage, a privacy expert for healthcare technology company Omada Health, points out, such agreements typically limit the scope of what Google can do. The business partner – in this case Google – typically cannot convert the data to serve its own commercial purposes and cannot sell the data under these agreements.
An email from Ascension to employees discussing the appointment characterized the tools as being in "early testing" and "not in active clinical distribution." The email confirmed that the two companies signed a BAA, saying, "Ascension data cannot be used by Google for any other purpose to provide these tools by Ascension clinicians, and patient data cannot be combined with Google consumer data."
According to two of the people, Ascension specifically brought in a compliance officer to attend all of their meetings with Google to ensure that the data was shared properly.
Despite all these insurances, a project knowledge employee said some of the Ascension employees were concerned about some of the tools Google has used to export and import data, which they said are not fully compatible under HIPAA, the set of rules governing how health information is transmitted and shared. The tools in question include Data Studio, Big Query and Data Lab, according to materials seen by CNBC. This person said the concerns were not fully addressed by one of the companies.
"When we ask Google for answers and we get delayed or no response at all," the person said. "It's a constant push from the top to get it out fast."
In response to a question from CNBC, Google refused to discuss the details of this partnership, but pointed to a list of HIPAA-compliant cloud products, including Big Request and AI DataLab.
Google has signed several other major flushing agreements lately, including the Mayo Clinic and the University of Chicago.
But earlier this year, a patient sued Google and the University of Chicago after claiming that the companies did not strip out date stamps or medical notes buried in hundreds of thousands of patient records and that could be used to identify a patient. "The university and medical center will vigorously defend this action in court," said a spokesman in a statement at the time.
Google also faced privacy concerns in the UK in 2017 when its artificial DeepMind intelligence project used data from patients in a way that "did not comply with data protection law", according to a UK government watchdog.
Follow @CNBC t ech on Twitter for the latest tech industry news.