“OK Google – What do you know about me, my health, and what’s in my medical records?”
By now, you’ve most likely heard about Google’s ‘secret’ data-sharing initiative, “Project Nightingale.” Last November, The Wall Street Journal unveiled the partnership between Google and the St. Louis-based Ascension healthcare chain. The article revealed the shocking news that Ascension had transferred the private medical records of 50 million Americans in 21 states to Google for data-mining purposes.
If you’ve ever sought care at Ascension, Google now knows your name, address, date of birth, doctor’s name, diagnoses, medications, lab tests, hospitalization history, your children’s sensitive conditions (including mental health), your answers to those pesky clinic questionnaires, and a swath of other sensitive and intimate information written in your medical record.
The Google-Ascension partnership is (unfortunately) very legal, thanks to the so-called federal HIPAA “privacy” rule. Unknown to most Americans, HIPAA swung the door wide-open for data-sharing shenanigans like this. The “health care operations” (HCO) provision in HIPAA, with its nearly 400-word definition, permits the sharing and use of your identifiable data for at least 65 non-clinical business activities, including detailed profiling of you and your doctor. According to a 2010 federal rule, over 2.2 million entities (plus government agencies) could be given access to your medical records without consent because of HIPAA, unless there’s a stronger state privacy law – like in Minnesota.
Source: “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act,” RIN: 0991–AB57, Federal Register, Vol. 75, No. 134, July 14, 2010 (see pages 40872, 40906, 40907, 40911).
Minnesota Stands Alone
Under HIPAA, the one holding the patient’s information decides who gets access. Under Minnesota law, the patient decides.
Minnesota has the strongest medical privacy and patient consent rights law in the nation. With only three exceptions to the consent requirement, the Minnesota Health Records Act (MHRA) protects Minnesota patients from large data corporations, health industry giants, and government overreach. It is the last safeguard in America against the unconsented sharing and use of patient data by entities in and outside of the exam room.
However, major corporations, health plans, researchers, hospitals, and government agencies are working overtime to get state legislators to repeal the law, and let patient data be shared without consent for “treatment,” “payment” and the 65 non-clinical business activities listed under “health care operations.” In short, these industry players want Minnesota to switch to the permissive HIPAA data-sharing rule so they can snatch your data and run with it.
It’s very clear that the ability to share sensitive medical details of 50 million Americans with Google without consent is not protecting patient privacy, despite the many claims that HIPAA protects privacy.
Hospitals Are to Blame
Google couldn’t get patient data unless hospitals and health systems shared it. But hospitals are chomping at the bit to sign agreements with gigantic tech companies and allow them to comb through their treasure troves of identifiable patient data.
For example, Microsoft signed a partnership with Providence St. Joseph Health to enable data-driven clinical and operational decision-making, as well as a seven-year partnership with Humana to improve artificial intelligence (AI) and machine learning research, “enabling a ‘truly longitudinal view’ of its members’ health histories,” reports FierceHealthcare. Meanwhile, Amazon and Cerner, an electronic health record company used by about 26% of America’s hospitals, are in a joint data-sharing venture to develop new predictive technology for earlier health interventions—and to use Alexa-like technology to transcribe private patient-doctor conversations directly into Amazon’s servers.
The real irony is this: Google, Amazon, and Microsoft can access your personally-identifiable data with the click of a mouse, yet you are often forced to go to extraordinary lengths just to see your own medical record.
What emerges from this mass roundup of patient information may or may not be in the best interest of American patients. Research can be great, and even lead to positive discoveries in medical treatment. But analytics done to meet the cost-crunching priorities of health plans, hospitals and government can lead to restrictive treatment decisions driven by cold corporate algorithms.
Patients have a fundamental right to privacy and the dignity it protects. They must be allowed to control who can and cannot see their medical records. Hospitals should also be required to ask for consent, not assume they have a right to do whatever they want with your data.
Calling on Minnesota Lawmakers
As the 2020 legislative session approaches, state lawmakers should not give in to the demands of industry lobbyists. If the Minnesota legislature does not defend the public’s right to medical privacy, HIPAA certainly won’t. To shield patients from HIPAA’s long list of permitted privacy violations, Minnesota’s senators and representatives should defend the Minnesota Health Records Act from those who want it repealed or changed so they can use our data for their own purposes.
Twila Brase, RN, PHN, is president and co-founder of Citizens’ Council for Health Freedom. Richard Larkin McLay is CCHF’s communications manager.