Last week, when Google gobbled up Fitbit in a $2.1 billion acquisition, the talk was mostly about what the company would do with all that wrist-jingling and power-walking data. It’s no secret that Google’s parent, Alphabet—along with fellow giants Apple and Facebook—is on an aggressive hunt for health data. But it turns out there’s a cheaper way to get access to it: Teaming up with health care providers.

On Monday, The Wall Street Journal reported details on Project Nightingale, Google’s under-the-radar partnership with Ascension, the nation’s second-largest health system. The project, which reportedly began last year, includes sharing the personal health data of tens of millions of unsuspecting patients. The bulk of the work is being done under Google’s Cloud division, which has been developing AI-based services for medical providers.

Google says it is operating as a business associate of Ascension, an arrangement that can grant it identifiable health information, but with legal limitations. Under the Health Insurance Portability and Accountability Act, better known as HIPAA, patient records and other medical details can be used “only to help the covered entity carry out its healthcare functions.” A major aspect of the work involves designing a health platform for Ascension that can suggest individualized treatment plans, tests, and procedures.

The Journal says Google is doing the work for free with the idea of testing a platform that can be sold to other health care providers, and ostensibly trained on their respective datasets. In addition to the Cloud team, Google employees with access include members of Google Brain, which focuses on AI applications.

Dianne Bourque, an attorney at the legal firm Mintz who specializes in health law, says HIPAA, while generally strict, is also written to encourage improvements to health care quality. “If you're shocked that your entire medical record just went to a giant company like Google, it doesn’t make you feel better that it's reasonable under HIPAA,” she says. “But it is.”

The federal health care privacy law allows hospitals and other health care providers to share information with its business associates without asking patients first. That’s why your clinic doesn’t get permission from you to share your information with its cloud-based electronic medical record vendor.

HIPAA defines the functions of a business associate quite broadly, says Mark Rothstein, a bioethicist and public health law scholar at the University of Louisville. That allows health care systems to divulge all sorts of sensitive information to companies patients might not expect, without ever having to tell them. In this case, Rothstein says, Google’s services could be seen as “quality improvement,” one of HIPAA’s permitted uses for business associates. But he says it’s unclear why the company would need to know the names and birthdates of patients to pull that off. Each patient could instead have been assigned a unique number by Ascension so that they remained anonymous to Google.

“The fact that this data is individually identifiable suggests there’s an ultimate use where a person’s identity is going to be important,” says Rothstein. “If the goal was just to develop a model that would be valuable for making better-informed decisions, then you can do that with deidentified data. This suggests that’s not exactly what they’re after.”

In fact, according to Bourque, Google would have to anonymize the information before it could be used to develop machine learning models it can sell in other contexts. Given the potential breadth of the data, one of the biggest remaining questions is whether Ascension has given the tech giant permission to do so.