America’s data privacy laws aren’t bad so much as they’re nonexistent. There’s no general federal data privacy law at all, and only a few states have attempted to pass meaningful legislation on the topic. While laws like HIPAA (Health Insurance Portability and Accountability Act) do have something to say about who is allowed to access patient medical records without the patient’s consent, it’s clear now that even this law is woefully inadequate to the privacy challenges of the 21st century.
Google has a deal with the second-largest health-care systems in the United States, Ascension, to gather and crunch data on millions of Americans across 21 states, according to the Wall Street Journal. The initiative is codenamed “Project Nightingale,” and is described as “the largest in a series of efforts by Silicon Valley giants to gain access to personal health data and establish a toehold in the massive health-care industry.” Amazon and Microsoft are also described as muscling into the medical industry, though apparently they have yet to strike deals quite this large.
The Data Isn’t Anonymized
The WSJ claims that the data “encompasses lab results, doctor diagnoses, and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.” Neither patients nor doctors have been notified in their inclusion in these data sets. All of this is legal under HIPAA, which allows hospitals to share data with business partners so long as the information is being used “to help the covered entity carry out its health care functions.” Apparently some employees of Ascension attempted to raise concerns about how this data was being used, but their complaints were dismissed, according to the report.
In the hypothetical universe in which Google intended to carry out this research in good faith, it would announce its efforts, accept only data from patients who opted in, conduct the difficult work of contacting all of those patients or their next of kin, pay their families for the value of the data it intended to mine from their lives, thoroughly anonymize the data, and take other various steps to establish trust when handling something as sensitive as a person’s medical data. In this fantasy, Google would also recognize that a great deal of data misuse and abuse happens because data is passed off to an endless succession of third parties and that it had a moral obligation to ensure that the valuable information it gathered would not be misused. Comfortable with its own ability to take on this responsibility, Google would publicly discuss how it protected our data.
But all of that is difficult. It’s much easier to secretly negotiate access to the information and build databases on people’s medical histories without consent. It’s easier for Ascension to ignore its own employees when they raise ethical concerns about these arrangements. It’s easier to take advantage of a loophole in federal law than to admit that this loophole is bad and needs to be closed.
Google undoubtedly has a lot of arguments about how it’s doing this for the best of reasons. That’s unsurprising. It was Google’s Larry Page who first said that medical data should be public knowledge in the first place. Larry Page, billionaire, and CEO of Alphabet, apparently cannot conceive of the idea that someone might be discriminated against if their private medical information became public knowledge. In his comments on this topic, Page has argued that there is no reason for anyone to hide this information and that he believes people do so because they are afraid of not qualifying for insurance. The idea that people might struggle to find employment or face other sorts of discrimination as a result of chronic illness or injury did not seem to have occurred to him in 2013. If it’s occurred to him since, he’s kept quiet about it.
The Lack of Disclosure Is a Problem. So Are Some of the Goals.
The WSJ takes pains to note that Google wants to build AI engines to better diagnose patients, while Ascension is looking for ways to improve outcomes and save lives. This is probably true. A lot of people are aware of how deeply broken the US healthcare model is, and how great the need for solutions is. The problems are complex because the system is incredibly complex. An AI system for effectively and quickly diagnosing patients that can deal with far-flung locations and treat or analyze patient data remotely and cheaply is an intrinsically attractive idea. People who want to be helpful go into these fields hoping to do something about their problems.
But if there’s one thing we’ve hopefully collectively learned from privacy disaster after privacy disaster, it’s that we can’t just emphasize the positive. The WSJ writes that Google is working with Ascension at no cost because it wants to build a healthcare database it can sell to other providers. Ascension, for its part, openly acknowledges that one of the goals of its program is to increase revenue from patients.
Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices and other facilities, aims in part to improve patient care. It also hopes to mine data to identify additional tests that could be necessary or other ways in which the system could generate more revenue from patients, documents show. Ascension is also eager for a faster system than its existing decentralized electronic record-keeping network. (Emphasis added).
Given that the cost of interacting with the US medical system has been rising for decades, it’s appropriate to ask why it’s appropriate to adopt a new medical system on the basis of extracting higher revenue from patients. Ascension is supposedly a non-profit, religiously affiliated healthcare organization. US healthcare cost growth is out of control, and employees shoulder an ever-larger share of that burden.
Expensive AI-driven systems are not going to be adopted because they identify revenue opportunities with marginal value — say, targeting rich people who might like to have a little more elective plastic surgery. The push for such systems is going to happen in part because they’re good at finding new revenue sources. And over-testing is already a huge problem in the American healthcare system.
Waste, in total, is estimated to account for roughly 25 percent of all American healthcare spending. Of the estimated $760 – $935B in wasted American healthcare costs as of 2019, between $77B and $102B is estimated to be caused by either over-treatment or poor-quality treatment. It’s one of the largest single categories. This is not to say that people who need tests shouldn’t get them — of course they should — but when evaluating patients to see if they are receiving proper tests, the focus should also be on making certain tests are not performed unnecessarily. If Ascension considered the moral obligation it had not to charge people for tests they didn’t need, the WSJ does not mention it.
Now that they’ve been discovered, Google and Ascension are claiming to have had users’ best interests at heart… just not enough to tell them in advance. Google has been found to be violating the privacy of its own users in so many various ways over the years, from Google Plus to Android, it strains credulity to see these issues as individual innocent mistakes. Now we discover the company is doing it again, this time with personal medical data it ought to have no legal right to receive in the first place.
I bet they even promised it would only be shared with trusted partners. You know — like the 150+ Google employees that already have access to the personal healthcare records of tens of millions of Americans, according to the WSJ.
- DeepMind’s StarCraft II AI Can Now Defeat 99.8 Percent of Human Players
- Home Builders are Reportedly Dumping Nest After Google’s Changes
- How Google Legally Profits From Massive Fraud on Its Platform (and What You Can Do About It)