The Nightingale Pledge for Nurses. CC by Wellcome Collection
My social media streams are blowing up with people asking me (a) do I know about Project Nightingale, and (b) what do I think about Project Nightingale (which seems, in most cases, to be code for “how scared should I be?”). And when the first thing I read about it was the WSJ piece, I also was a bit concerned (although I felt much better once I read better sources of information about this). Enough people are asking enough questions that, despite my rarely blogging any more (because I have articles and print publications gobbling up all my writing time!) I’m going to do a very brief post on this to save my time answering.
What is Project Nightingale?
Why did they keep this such a secret?
But Google BOUGHT Our Data!
Doesn’t HIPAA Mean This is Illegal?
But … What If Google Mixes this Data With Their Other Data?
So, This Isn’t a Bad Idea After All?
What Else?
What do I think?
What is Project Nightingale?
Project Nightingale (assumed to be named after Florence Nightingale) is another Google project. This one is based on a partnership with Ascension Health Care, and focuses on improving the healthcare experience and healthcare outcomes. It is doing this both through providing resources, support, and analysis for current clinical encounters for Ascension clinicians and patients, as well as developing future tools.
Why did they keep this such a secret?
They didn’t, exactly. You might have seen articles in the news with phrases like “patients not yet informed,” “Google began Project Nightingale in secret last year”, “Google’s secret cache,” and “Google Secretly Given Access To Medical Data of Millions of Americans,” but that isn’t strictly what happened.
Google had a phone call with their investors last July 25, 2019 where this was mentioned. There was a LOT of stuff mentioned in that phone call (the transcript is eighteen pages long!), and even in the area of health, they also mentioned BrightInsight, Sanofi, and Cardinal Health. The press releases for the various innovations mentioned in the call have been slowly rolling out, one by one. If you were an investor, you would have heard about it. If you scan their earnings calls, you would have known. If you want to see where the next thing is coming from, their Quarter 1 and Quarter 3 transcripts are also up, and you too can know all the things that are, ahem, secret(?). As in not really secret, just not discussed in the press yet. It’s unfortunate for Google that the Wall Street Journal announced this before their official press release came out, but it isn’t terribly surprising. Oh, and by the way? They have a LOT of healthcare customers they are already supporting in similar ways. Lots and lots and lots (over 50). If you are going to be upset about Ascension, you should probably also be upset about at least some of the others.
But Google BOUGHT Our Data!
Errrr. Well, actually, it looks more as if Google is being paid to help work with the data. Ascension is a customer, is described as a customer as well as a partner, and they have hired Google to do this work. Google describes it as “Our work with Ascension is exactly that—a business arrangement” while Ascension describes it as “working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities.” Business Wire describes it as “Ascension…is working with Google to…deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.”
“Q: Is Google charging for these services?
A: Yes. Google is delivering services as part of a commercial contract with Ascension, just like any other work we do with healthcare providers.” Our Partnership with Ascension
Doesn’t HIPAA Mean This is Illegal? What about my PRIVACY?
The “P” in HIPAA doesn’t actually stand for privacy. It stands for portability. As in “Health Insurance Portability and Accountability Act.” The point of the “portability” idea is that it is actually a GOOD idea to be able to move health data from place to place. It is good for patients who change doctors, so they can take their own data wherever they want it to be. It is good for patients in the Emergency Room, so they can be treated without having to wait for someone to find their doctor on vacation, and hopefully this helps to avoid errors that can be prevented with this type of information. It is good for doctors and clinics, so they can get on with the business of actually helping the patients in their clinics in a timely and responsive fashion. It is good for researchers, so they can find new ways of helping people. It is probably good for a lot of other people, also, but you get the general idea.
Now, the privacy bit is a little more nuanced. You see, when they wanted to make it possible for health data to move from place to place, it became necessary to think about what could go wrong if that happened.
“The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.” Summary of the HIPAA Security Rule.
Portability came first. Privacy came second, hand in glove with security. Privacy and security are most definitely important, and there are very strict rules with clear penalties. Privacy applies first and foremost to the healthcare providers, the clinics and hospitals where they provide care, and the other staff and employees with access to the data. There’s another misunderstanding people have, where they believe that NO ONE is allowed to share the health data, but actually, patients can share their own data with whoever they want. That’s a whole different blogpost, though.
The gist of it is that, no, HIPAA doesn’t mean your clinic can’t share your data. It means they have to be very careful about who they share it with, how they share it, and that the people they share it with are legally bound to follow the same rules and are subject to the same penalties. This is true for whoever made the software they use to manage your data just as much as it is for the person who makes appointments in the clinic. In other words, if Ascension shared data with Google, and Google shared the data or used it in ways they shouldn’t, both of them would be in big trouble. Google is well aware of this, and emphasize that they have a Business Associates Agreement that describes the rules they are following.
“All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage. We have a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care. This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care.” Our partnership with Ascension
Also, well, you remember all that paperwork you signed when you went to your clinic for the first time? You probably already gave them permission to share your data in exactly this way.
“Arguably requiring permission to be obtained before information could be sent to a subcontractor would interfere with smooth business operations.” Google-Ascension: Why Is HIPAA Probably Not Being Violated?
But … What If Google Mixes this Data With Their Other Data?
“To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.” Our partnership with Ascension
So, This Isn’t a Bad Idea After All?
I do not personally know anything about the insides of this specific project or partnership aside from the links above. I do know that in healthcare information technology, this is the kind of partnership we dream of, where people with a range of skills can use data in responsible ways to help create new solutions to help everyone. Solutions that will never ever exist if innovators and researchers don’t have access to a broad array of data representing the diversity of people we want to help. That may sound a bit pie in the sky, and it is, but “you may say I’m a dreamer, but I’m not the only one.” Basically, who knows what will really happen with this project, but the general idea is absolutely something we need.
Susannah Fox: “We as an industry have a lot of work to do to explain the scope of “health data” and “privacy.””
David Wang: “We (physicians) BEG for this in order to help transition care from hospital to home to ambulatory setting (among multiple specialists). There are SO many reasons this is SO important for high quality and SAFE patient care.”
Mrs. Bertha Mason-Rochester: “And I can’t get a copy of my old mammogram without going in person, filling out paperwork, waiting for a CD-ROM and delivering it to my doctor who then tells me it’s incompatible with their system.”
Kate Corbett: “Feedback on this demonstrates misalignment between public perception, what is necessary to deliver cost effective or #valuebasedcare, #HIPAA, and technological capabilities of @Google and other companies. A #HealthIT partner has to be a steward of patient interests as well.”
Chris Hogg: “I think I’m a contrarian on the @google @Ascensionorg news. Google is a clear Business Associate in this arrangement, and unless they violate HIPAA in the use of Ascension’s data, I think they can add a lot of value to (very siloed) data assets. And benefit patients and docs.”
Juhan Sonin: “Legal = ✔️[check]
Potential for interesting outcomes = ✔️[check]
Ethics scale = 🖕[thumbs up]”
Dan O’Neill: “It’s not obvious that this is new; hospitals have been using identified data to try to algorithmically predict re-admissions & adverse events for at least 10 years.
Also seems discordant to demand interoperability, then criticize data access when it happens at scale.”
What Else?
So what’s the problem, if this is actually legal, and Google does what they promised? The problem lies in the perception that there is a problem. As in trust. Here’s a few pieces about that aspect of the Google-Ascension partnership, what they maybe should have done instead of how this unrolled, and … consequences of a lack of trust.
Will Technology Cure Americans’ Health Care System Ills? Considering Google and Ascension Health’s Data Deal by Jane Sarasohn-Kahn.
Also, there’s this thing happening, a federal enquiry looking into the Google-Ascension partnership. I don’t know if that’s happening just because this all exploded in the news, or if there is other information that led to this. But it is definitely a thing.
What do I think?
I think that if Google upholds the principles and guidelines of the original Nightingale Pledge, all will be well.
“I solemnly pledge myself before God and in the presence of this assembly to pass my life in purity and to practise my profession faithfully.
I shall abstain from whatever is deleterious and mischievous, and shall not take or knowingly administer any harmful drug.
I shall do all in my power to maintain and elevate the standard of my profession and will hold in confidence all personal matters committed to my keeping and all family affairs coming to my knowledge in the practice of my calling.
I shall be loyal to my work and devoted towards the welfare of those committed to my care.”
Emerging Technologies Librarian 
On the issue of patient permissions… Unless I missed it, I’ve never been given the choice to NOT be part of an EHR system.
LikeLike
Thank you, Matthew! This is a very important point to bring up, and I’m seeing it a lot on Twitter. The response from folk there seems to be along the lines of … so, this is legal, but should it be? Do we need to change our laws to give patients more personal control, or to require advance notification and consent at the time of data sharing, or … what? I’m glad you commented here so that this aspect of the conversation can be attached to the post for other readers. Much appreciated!
LikeLike