Above Photo:Carlos Luna/ Flickr
Google has been harvesting the health data of tens of millions of U.S. patients since 2018, unbeknownst to those patients or their doctors, as revealed by a Nov. 11 investigation by the Wall Street Journal. According to the story, Ascension, a private network of some 2,600 hospitals and other health care facilities, had been systematically feeding the medical information to Google’s cloud infrastructure in what amounts to the largest data transfer in the health care field. Google, in turn, plans to “suggest” changes to patients’ care, possibly via machine learning.
Google and Ascension confirmed the reports, insisting the agreement—dubbed “Project Nightingale”—was a legal, innocuous advancement in medical-data processing. Both companies intimated, chillingly, that Google’s AI applications would use the data to predict patient conditions and determine treatments, among other recommendations.
Media coverage of Project Nightingale has focused chiefly on the operation as a potential watershed in medical-privacy legislation. It’s not known yet whether the data transfer was compliant with the Health Insurance Portability and Accountability Act (HIPAA), which governs how health insurance companies share medical information with their “business associates”; now, the Department of Health and Human Services (HHS) is reportedly probing the project’s lawfulness. Some have posited that HIPAA is due for an overhaul, reasoning that the 1996 law is unequipped to regulate Google’s ever-evolving digital architecture.
Yet these concerns, valid as they may be, ignore the crux of the matter. Project Nightingale isn’t a flaw to be corrected with incremental improvements in privacy law; it’s an indictment of privatized health care altogether.
In the interest of staving off additional regulation, Facebook and Google have already begun to seize the privacy narrative. Last spring, Mark Zuckerberg unveiled a “privacy-focused” Facebook redesign including message encryption and ephemeral, rather than permanent, posts—changes that sound constructive while still permitting the company to profile users’ locations, ages, browsing habits and other traits in the name of targeted advertising. Similarly, Google CEO Sundar Pichai penned an op-ed for The New York Times in which he crowed about giving users the “choice” to control their privacy—trusting that the average Google user won’t pore over the minutiae of their privacy settings—and assured readers that data collection, somehow, benefits everyone. Not coincidentally, Facebook and Google have donated to major think tanks and nonprofits in a bid to influence privacy legislation.
Considering this, it’s difficult to envision HIPAA reining in a company like Google. When companies do violate HIPAA, the standard penalty, as in tech privacy violations, is a fine. In 2018, Beckers Hospital Review noted three “major” cases of HIPAA violations. Filefax, a defunct medical records management company, was fined $100 million for a 2015 data breach affecting 2,150 patients. Massachusetts company Fresenius Medical Care North America, part of an international network that boasted soaring profits in October, paid $3.5 million in the wake of five separate breaches. MD Anderson Cancer Center, a Texas hospital with revenues of $5.2 billion in 2018, paid $4.3 million in civil penalties for three breaches.
If Project Nightingale isn’t HIPAA compliant, as at least one whistleblower has warned, there’s too much evidence of corporate latitude in privacy law to believe Google and Ascension will be restricted in any meaningful way. If it is HIPAA compliant, as The Atlantic has argued, HIPAA will at best be faintly modified to account for digital medical processing, with no real impact on health care corporations.
In either case, the problem isn’t that Project Nightingale may have violated HIPAA, or that HIPAA is antiquated. It’s that, regardless of the form the legislation takes, HIPAA and other health-data laws will continue to be a plank in the legal framework that codifies health care as a business. As Mason Marks recently wrote for Slate, a bill proposed this year by Sens. Amy Klobuchar, D-Minn., and Lisa Murkowski, R-Alaska, said the Protecting Personal Health Data Act “actually creates a safe harbor for products that mine [predictive health data], including those that collect personal health data ‘derived solely from other information that is not personal health data.’”
Thus, even with full HIPAA and other legal adherence, corporations retain an incentive to work in tandem with hospitals and insurance companies in all sorts of data-centric capacities—hence Amazon, Apple and other tech firms’ hunger for a piece of the lucrative health care industry pie.
The only way to prevent the further monetization of health care data, then, is the complete removal of the profit motive from health care. Alphabet, Google’s parent company, reportedly plans to apply and sell AI to health insurance companies and has invested in health insurance companies Oscar, Clover, and Collected Health. Apple and Amazon are in close proximity to other insurance companies, likely seeking to convert data into expensive medical procedures. The antidote isn’t simply better laws; it’s a fully publicly funded, single-payer system.
This, of course, isn’t a new observation: Public support for single-payer health care is overwhelming, despite what many policymakers would have their constituents believe. And when a toothless HHS investigation of Project Nightingale is legislators’ idea of justice for medical patients, that support will only grow more robust.