Google assured detractors that it would follow all relevant privacy laws, but the regulatory-compliance discussion only distracted from the strange future coming into view. As Google pushes further into health care, it is amassing a trove of data about our shopping habits, the prescriptions we use, and where we live, and few regulations are governing how it uses these data.

The Fitbit acquisition seems quaint compared with news of Google’s latest endeavor. The Wall Street Journal reported on Monday that Google had secretly harvested “tens of millions” of medical records—patient names, lab results, diagnoses, hospitalization records, and prescriptions—from more than 2,600 hospitals as part of a machine-learning project code-named Nightingale. Citing internal documents, the Journal reported that Google, in partnership with Ascension, a health-care provider operating in 20 states, was planning to build a search tool for medical professionals that would employ machine-learning algorithms to process data and make suggestions about prescriptions, diagnoses, and even which doctors to assign to, or remove from, a patient’s team.

Neither affected patients nor Ascension doctors were made aware of the project, the Journal reported. And again, all parties asserted that HIPAA, the package of privacy regulations protecting patient data, allows for its existence. In response to my requests for comment, both Google and Ascension referred to their respective recent blog posts on the topic. “All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage,” Google’s post reads.

The Department of Health and Human Services is probing the legality of the deal. Under Google’s interpretation, the company is merely a “business associate” helping Ascension better render its services—and thus warrants a different level of scrutiny than an actual health-care provider. But if HHS determines that Google and its handling of private information make it something more akin to a health-care provider itself (because of its access to sensitive information from multiple sources who aren’t prompted for consent), it may find Google and Ascension in violation of the law and refer the matter to the Department of Justice for potential criminal prosecution.

But whether or not the deal goes through, its very existence points to a larger limitation of health-privacy laws, which were drafted long before tech giants started pouring billions into revolutionizing health care.

“It’s widely agreed that HIPAA is out of date, and there are efforts ongoing right now to update it for the 21st century,” says Kirsten Ostherr, a co-founder and the director of the Medical Futures Lab at Rice University. HIPAA was signed into law in 1996—years before Google knew if you were pregnant or could algorithmically estimate your risk of suicide. “Most of the kind of data [Google’s] trafficking in is not considered to be personally identifiable information in the way that it was conceived back in the ’90s, when [much of] the tech world didn’t even exist.”