Google's Verily division has been screening and testing participants for COVID-19, but lawmakers are concerned over how it is collecting and using people's data.

The company has now responded to senators, in a letter seen by Business Insider. It says more than 7,000 people have been tested at its sites as of April 9. It also said data collected was not in compliance with HIPAA privacy rule.

Verily says it has no intention of removing the Google sign-in, which is currently required for using its screening service.

Visit Business Insider's homepage for more stories.

Verily, the Alphabet life sciences division that launched its COVID-19 screening and testing program last month, is still under scrutiny from lawmakers over how it is collecting users' data, as well as its plans to expand its test sites outside of California.

At the end of March, five US senators wrote to Verily asking, among several other things, whether its screening website was compliant with the HIPAA Privacy Rule, and whether Verily intended to remove the requirement that all users who screen for COVID-19 have a Google account.

Verily has now addressed those questions in a letter sent to the same senators and obtained by Business Insider. In it, Verily assured the senators that any data collected wouldn't be used for commercial purposes or sold to third parties.

But it also confirmed that its screening site was not in compliance with the HIPAA privacy rule.

"Verily has focused on the protection of the security and privacy of personal health information since the inception of its Baseline COVID-19 Program," the company wrote. "With respect to its Baseline COVID-19 Program, Verily is not acting as a covered entity or a business associate as defined by HIPAA. As the Program expands, we will continue to prioritize the protection of individual health data. However, in the future if we engage in a program where we do become a covered entity or we are required to sign a BAA we will take all the appropriate steps to ensure compliance with HIPAA."

Verily did confirm that should it expand its COVID-19 testing sites beyond California, it would apply the protections of the California Consumer Privacy Act (CCPA) in states where the laws are less stringent.

But the company also has no intention of removing the requirement of having a Google account in order to use its screening and testing services – something that lawmakers are concerned could create a hurdle to testing.

"Verily uses Google Account as a secure way to authenticate individuals for use of the Baseline COVID-19 Program," it wrote. "Given that Google Account provides best in class authentication and that quickly developing alternative methods of authentication runs the risk of being less secure for participants, currently Verily cannot make this a priority as we don't have the mechanism at hand to provide a different, equally secure method for authentication in the Baseline COVID-19 Program."

In response to a question about whether the mandatory Google sign-in had prevented participants from using Verily's service, the company said it was unable to quantify that data.

7,390 people have completed testing

Verily also provided some data on how many people had used the service. As of April 9, Verily says 68,406 people had completed the screener, 14,711 were eligible for testing, and 7,390 have completed testing, with 6,636 results.

As this number grows, so do concerns about what Google may do with the data after participants have screened and tested at their sites. Responding to a question about this, Verily pointed senators to the company's privacy policy on its website.

But it also added that it may contact individuals in the future to "ask if they would like to share data collected through Verily's COVID-19 Baseline Program for research purposes." If so, Verily says authorization for further holding onto that user's data would happen via a separate opt-in process.

This is an important point, as Verily had previously said that it would delete all information collected through the program "unless an individual separately authorizes further retention and use of their information" but failed to explain how this might work.

Finally, Verily was asked to expand on the "multiple government agencies" it claimed to be working with. The company said it is working with the California governor's office as well as state and local agencies that include the California Department of Public Health, Health and Human Services, and the California Office of Emergency Services.

At the federal level, it said it is working with the US Department of Health and Human Services and with FEMA. Verily said it has "had communications" with the White House to update it with the status of its program.

The question now is whether this will satisfy concerned lawmakers. In a statement, Democratic Senator Robert Menendez of New Jersey, who co-wrote the letter to Verily, told Business Insider:

"I'm glad we received a firm commitment from Verily that personal data collected during the COVID-19 pandemic won't be used for commercial purposes, or be sold to third parties. Yet, I remain concerned that the company cannot quantify the number of people who were denied the opportunity to participate in its pilot COVID-19 screening program in California simply because they didn't have a Google account.

"Most concerning, they seem to not have a plan to fix this. If Verily is seriously considering expanding these sites to other states –or nationally—my hope is that they address this question and provide an alternate authentication method to ensure that anyone interested in accessing a testing site can use the program."

Menendez did not comment on whether the senators will follow up with further questions for Verily.