Google's "Project Nightingale" is a cloud-based data mining initiative that proposes to analyze protected patient health information for the purposes of delivering targeted medical offerings. The problem? Well, for starters, it does not appear anyone asked the patients for permission, or most of their clinicians.
Ascension Health, which operates in 21 states, formed a business relationship with Google Nightingale that is now under Federal HIPAA patient privacy and security scrutiny through the Department of Health and Human Services Office of Civil Rights.
While HIPAA allows covered entities to share patient information in the furtherance of patient treatment, payment, or healthcare operations, questions are now being asked about whether Google's patient data analysis service purposes actually meet any of these definitions. Further, proposed Patient Bill of Rights pending in Congress from both parties could require health care entities, "Google Nightingale" and other similar platforms, to get explicit patient permission first, before being allowed to swap, access, and use patient health information.
"[C]overed entities may disclose protected health information to... a business associate only to help the covered entity carry out its health care functions — not for the business associate’s independent use or purposes"