Published November 26, 2019, in the Harvard Business Review. Reposted with permission.
A recent agreement between Google and Ascension, a huge national health system, is yet another sign of how the digital revolution is transforming health care. We are at the dawn of a new era where clinicians will be able to apply in real time the collective human experience in treating any particular problem to the care of every patient with that condition.
But the critical reactions to the agreement — under which Ascension will send to the Google cloud the clinical data it collects on its 50 million patients, and Google will process that data to help Ascension better manage its patients and its finances — make it clear that changes of this magnitude are never smooth. The announcement generated concerns about patient privacy and the misuse of information for the private gain of third parties. It triggered an investigation by the U.S. Department of Health and Human Services and calls from members of Congress for further inquiries. We are obviously at the beginning of what will likely be a long, contentious, and vital debate over how to manage personal health information in the digital age.
Patients have an undeniable right to privacy and control over their personal health data. Doctors and hospitals need leeway to use patient information in their care. Patients, health professionals, and the larger society have an interest in learning from our collective experience with care to better prevent and treat disease. And tech entrepreneurs want a return on their capital when they add value to the management of health-care data. The coming debate will be about how to manage these sometimes conflicting interests as health information technology revolutionizes our health care system.
Setting the legalities aside for a moment, here are the fundamentals underlying the Ascension-Google relationship: Ascension sits on troves of data accumulated in the course of caring for millions of patients who pass through its facilities. That data used to be locked away in paper records that had to be physically transported and laboriously abstracted to serve any purpose other than the care of an individual patient at a particular place and time. As a result of the near-universal adoption of electronic health records over the last decade, all that information is now stored as electrons that can flow instantly to wherever it’s needed and useful, provided that patients’ privacy is protected.
This has several immediate benefits for patients. One is that their personal histories are always accessible when they get care at Ascension (and possibly elsewhere). Another is that Ascension’s doctors and nurses can potentially learn from the experience of all Ascension’s patients with similar conditions as they care for any individual patient. And by applying search technologies and artificial intelligence, Ascension may also be able in real time to mobilize lessons of the entire scientific literature to bring to bear on individual patients. That literature is so enormous that even the most experienced, specialized clinicians have difficulty keeping up with it. Ascension’s experience may also inform medical research more broadly.
The challenge is that accomplishing these innovative uses of electronic data requires a range of informatics, analytics, and research skills that most health systems don’t possesses. One logical approach is for health care organizations like Ascension to partner with third parties that have the necessary capabilities. That’s where Google comes in. It has IT skills — including in the field of artificial intelligence — that Ascension can never hope to equal. And Google has been gobbling up nationally renowned clinician leaders and researchers to create a deep bench in health-care informatics and research.
In this, Google is not alone. IBM Watson has been in this field for some time. Amazon and Apple seem to be following suit. And there are a flock of start-ups hunting for opportunities to add value to health care by mining patient data. When health care, which accounts for 18% of the U.S. economy, suddenly enters the digital age — bringing almost inconceivably large stores of untapped data — the business opportunities are huge. Google is reportedly not charging Ascension for its services, but that is likely because of the exploratory nature of the work that Google will be doing at this point in the developing arena of health care informatics. Future customers are unlikely to be so fortunate.
The legalities, of course, cannot be set aside for long. The Google-Ascension deal will likely expose the personal health information of millions of Ascension patients to Google employees. Doesn’t this violate the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? Health care providers routinely cite HIPAA as a tough, no-nonsense statute that severely inhibits their ability to share patients’ information with each other and even with patients themselves and their families.
Well, the fact is that HIPAA, despite its fearsome reputation, is full of holes, and lawyers for Google and Ascension likely found ample room in the law to support their agreement. For one thing, health care providers who are regulated under HIPAA, so-called covered entities, may share personal health information without patient consent for three main purposes: treatment, payment, and operations.
Treatment means that clinicians can discuss their patients with other treating clinicians without getting patients’ consent each time. Without this flexibility, doctors would be severely restricted in their ability to consult with colleagues for the benefit of their common patients. Payment means providers can use personal health information to get paid by insurers. And operations means that providers can use personal health information to address the critical operational needs of their organizations, including improving the quality and safety of their care. When a covered entity uses a third party to fulfill any of these purposes, that outside entity becomes a so-called business associate, and must conform to HIPAA regulations as well.
The data management activities that Google will undertake for Ascension may very well qualify as meeting Ascension’s operational needs to improve the quality of its care, and Google could, in that capacity, serve as a business associate. Under this interpretation, the sharing of patient data without patient consent could be legal under HIPAA. The U.S. Department of Health and Human Services, which enforces the HIPAA statute, is examining the relationship to see if it meets HIPAA requirements.
However, even if the relationship turns out to be technically legal, it raises significant unresolved policy issues. The lawmakers who created HIPAA never anticipated the internet, IT behemoths like Google and Apple, or the skill of hackers who seem to penetrate the most secure data systems at will. It is one thing to share a dusty old paper record with an outside entity. It is quite another to send electronic versions off into the cloud where — despite a third party’s best efforts — it might be hacked from anywhere on earth. HIPAA is likely no longer sufficient to reassure patients that their electronic health data is adequately protected.
Another question surrounds rights to the commercial benefits likely to flow from collaborations between health care organizations and IT companies. These agreements will likely produce a bounty of intellectual property that will be profitably sold without patient information (think algorithms and software) to other health care providers and even to other businesses that develop and market health care products (think pharmaceutical and device companies and health plans). Ultimately, however, these profits will be derived from the personal health information of millions of patients who will likely have no idea of how their data have been used. Should they be given the opportunity to consent to these business uses of their data? Should they share in some small way in the gains?
These and other questions will have to be addressed to realize the individual and societal benefits of the health information revolution, and we will have to sort out the multiple conflicting interests and perspectives that arise at every inflection point in human history.