Big data has become big business in healthcare.

The public freaked out in November 2019 at the Wall Street Journal’s revelations that Google was taking in non-anonymous healthcare information from hospital network Ascension. Now, a new report from the Journal shows that the tech giant is far from alone: Microsoft, Amazon Web Services (AWS), and IBM also have data-sharing agreements with hospitals. The scope of work spelled out in those agreements allows for some information to be shared that could identify patients, too.

Startups, traditional health companies, and tech giants alike are pursuing data collection so that they can make tools that they say will help detect, predict, or prevent disease more efficiently than humans can.

The rub for companies seeking to provide those tools is that they need access to data in order to train algorithms, first. So big tech companies have been making entries into health by acquiring data-rich health and fitness companies (see: Google’s acquisition of Fitbit), and striking data agreements with hospitals.

While some hail data-enabled AI as the future of medicine, it also prompts privacy concerns — especially since not all of the data tech companies receive is anonymous. Under the patient privacy law HIPAA, companies can share this sensitive data as long as it is for a spelled-out business purpose covered under the scope of the agreement. It's a massive loophole in what's otherwise perceived as a stringent privacy law that came to light after Google and Ascension's agreement became public.

According to the Journal, Microsoft is working on a “cancer algorithm” with Providence hospitals that reads information from doctors’ notes. AWS has a similar agreement with Seattle’s Fred Hutchinson Cancer Research Center. That data from doctors could contain information that matches an individual with their health data. In regard to Microsoft and Amazon's deals, some of that data definitely did include identifiable info; in some cases, they said it wasn't possible to strip it all out.

IBM’s agreement with Brigham and Women’s Hospital allows for the possibility of the hospital to share personally identifiable data. But the hospital told the journal that this hasn’t happened, yet.

With agreements like these, tech companies and hospitals may be working toward a greater good in the future of data-driven healthcare. But doing so without the explicit knowledge of the humans from whom they data mine sounds like a questionable way of taking care of patients. Closing the privacy loophole and keeping an eye on these deals is already in lawmakers' sights.