Update: The Google/Ascension project is now being investigated by the Office for Civil Rights in the Department of Health and Human Services, the Wall Street Journal reported in an update last night. The office said it "will seek to learn more information about this mass collection of individuals' medical records to ensure that HIPAA protections were fully implemented." Google said it is "happy to cooperate with any questions about the project," and that "We believe Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and comes with strict guidance on data privacy, security, and usage."

Original story from November 12, 2019 follows:

Google now has access to detailed medical records on tens of millions of Americans, but the company promises it won't mix that medical data with any of the other data Google collects on consumers who use its services.

Google provided this statement yesterday shortly after The Wall Street Journal reported that Google is partnering with Ascension, the country's second-largest health care system, "on a project to collect and crunch the detailed personal-health information of millions of people across 21 states."

"To be clear: under this arrangement, Ascension's data cannot be used for any other purpose than for providing these services we're offering under the agreement, and patient data cannot and will not be combined with any Google consumer data," Google said in a blog post. That would mean Google won't use the medical data to target advertisements at users of Google services.

Google also said that its work with Ascension "adheres to industry-wide regulations (including HIPAA) regarding patient data, and come[s] with strict guidance on data privacy, security, and usage."

"We have a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care," Google said. "This is standard practice in health care, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care."

What can Google see? Pretty much everything

Patient data shared with Google includes names, birth dates, addresses, family members, allergies, immunizations, radiology scans, hospitalization records, lab tests, medications, medical conditions, "and some billing claims and other clinical records," according to a followup article in the Journal. The partnership "covers the personal health records of around 50 million patients of Ascension," the Journal wrote.

The Journal said that "Neither doctors nor patients have been formally notified of the arrangement" and that Google and Ascension began the project "in secret last year."

Google seems to be correct that the partnership doesn't violate HIPAA (the Health Insurance Portability and Accountability Act). As the Journal noted, that law "generally allows hospitals to share data with business partners without telling patients, as long as the information is used 'only to help the covered entity carry out its health care functions.'" An expert quoted by the Journal noted that Google would be at risk of violating the law "if it uses the health data to perform independent research outside the direct scope of patient care."

Ascension is not paying Google for these services, the Journal wrote, but Google's work with Ascension could lead to profitable ventures. Google is using Ascension's patient data "in part to design new software, underpinned by advanced artificial intelligence and machine learning, that zeroes in on individual patients to suggest changes to their care," the Journal wrote. Google could sell this software to other health care institutions. As part of the project, "Staffers across Alphabet Inc., Google's parent, have access to the patient information, internal documents show," the Journal wrote.

The news about Google's work with Ascension comes as Google is trying to buy Fitbit for $2.1 billion, in a deal that is pending regulatory approval. Fitbit devices are used for health tracking, among other things, and Google wants to use Fitbit to bolster its existing Wear OS platform.

But Google's privacy promise should mean that it won't combine any patient data from Ascension with the data it gathers from Fitbit, Wear OS, Google search, Gmail, Google Docs, Chrome, or any of the other consumer services it provides.

Google’s services for Ascension

Google said it is providing its standard G Suite productivity tools to Ascension and that it's doing custom work for the company. This includes moving Ascension's "on-premise data warehouse and analytics environments to their own private and secure Google Cloud environment." The arrangement also includes "provid[ing] tools that Ascension could use to support improvements in clinical quality and patient safety," Google said.

Google said its work with Ascension is similar to what it was already doing with "dozens of other health care providers."

"These organizations, like Ascension, use Google to securely manage their patient data, under strict privacy and security standards. They are the stewards of the data, and we provide services on their behalf," Google said.

Ascension also released a statement on its work with Google yesterday. Ascension said it aims to improve the tools used by both patients and caregivers as well as "explor[e] artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness."