by hellllllllooo on 11/12/19, 3:44 PM with 115 comments
by dragonwriter on 11/12/19, 6:19 PM
From the news article (I don't have time to review the source leak indepently) there doesn't seem to be anything really concerning here. The closest to an indication of anything wrong seems to be that someone raised an issue about the risk of improper employee use of data and a need for training around that in an internal meeting on the project and has not received a formal specific response on that issue from corporate leadership. Having spent a long time in HIPAA-related work, that neither that issue being raised in regard to a new project or the fact that it was raised being merely one of many inputs into a policy generating process that makes general adjustments considering a wide range of concerns, legal parameters, and other issues but not receiving a specific direct response seems...pretty typical. And HIPAA does not require notification or opt-in (or even opt-out opportunity) for data sharing between a covered entityand Business Associate, as BA’s are (while under HITECH independently subject to HIPAA privacy and security rules) basically considered institutional agents of the covered entity to which the covered entity’s authority to have and use data is delegated under the Business Associate agreement.
I don't know if there is really nothing of concern in the dump or the journalists covering it don't have enough understanding of the domain to even distinguish things that would indicate a problem, but what it looks like from the news article is a “whistleblower” making accusations and dumping docs, but nothing substantial and concrete in the docs supporting the thrust of the “whistleblower’s” accusations of wrongdoing.
by altgoogler on 11/12/19, 8:50 PM
I'm not going to comment on this specific case but I do have almost a decade of previous non-Google experience working in clinical documentation technology.
As others have said, entering into a BAA with a covered entity, as HIPAA defines it, shouldn't be seen as a controversial action.
There are numerous problems in healthcare that are too complex for individual health systems to tackle. For example:
* Population Health: are there emergent changes in the regional population? What do you do about it? * Continuity of Care: The number of individual providers involved in a particular person's care continues to grow. How can you effectively inform the entire team--across health systems--what's most important for an individual now? How do you make sure nobody drops the ball?
To give you an idea of the scale, I have two examples. The first is MD Anderson Cancer Center in Houston. They used to have 200+ engineers working on their sophisticated home-grown EMR. It was a huge undertaking. But even with MDACC revenue, that development was unsustainable, and they moved to a 3rd party EMR vendor.
Second is the Mayo Health System. Another huge provider with facilities not just in flagship Rochester MN, but in several other sites. Again, there were realities that even at this scale internal development isn't sustainable across the board and they wound up with a $100M+ adoption of a 3rd party vendor.
And this is mostly straight-forward CRUD-level workflows. The technology is straightforward but the workflow expertise is not.
Now, try and solve some bigger problems. You're going to need help to do this at scale, and trying to solve it necessarily means giving access--not control of!--to medical records to drive R&D. It's happening right now, and Google is not the only player doing this at scale. They're not even the largest one.
Lastly HIPAA controls have real teeth, in comparison to the general consumer space (at least in the US).
by yRetsyM on 11/12/19, 4:22 PM
Also - The deal was only just signed, e.g. the transfer hasn't happened yet?
There's a lot of hearsay in all of this reporting...
by SEJeff on 11/12/19, 4:13 PM
https://www.hhs.gov/hipaa/for-individuals/guidance-materials...
by chooseaname on 11/12/19, 5:25 PM
This is the most scary part[0]. I'm sure plenty here would disagree, but I simply don't (yet) share your optimism for A.I.
[0] Not that the rest isn't scary.
by Aaronstotle on 11/12/19, 4:58 PM
by rayuela on 11/12/19, 4:39 PM
by valiant55 on 11/12/19, 9:25 PM
> Among the documents are the notes of a private meeting held by Ascension operatives involved in Project Nightingale.
The whole article is written like they are trying to tell a spy story which brings into question the credibility that there's any wrong doing.
by Braggadocious on 11/12/19, 6:37 PM
by vfclists on 11/13/19, 12:40 AM
As a UK based paper Guardian could at least focus on British issues
by me_me_me on 11/12/19, 4:37 PM
by 1_over_n on 11/14/19, 5:50 AM
by drcode on 11/12/19, 8:30 PM
Google and other large companies have made some significant AI advances in the last decade & I think it's in all of our interests to see if these advances can lead to improvements in health care.
Yes, it's scary how much data these companies have collected about us, but there are other things in the world which are even more scary, like heart attacks and cancer. I think we need to stop having an automatic knee-jerk reaction every time a company gets access to our data, especially if proper legal protocols with privacy protections are being followed, as it appears to be in this case.
Of course, I would love to live in a world with 100% perfect personal privacy AND perfect treatments for all diseases, but we don't live in that world: In our world, as we move forward, there are going to be difficult tradeoffs between health innovation and patient data access: We should try to navigate these tradeoffs in a level-headed way, without just insisting on greater walls around all data in every instance.
by JohnFen on 11/12/19, 10:54 PM
by Lagogarda on 11/12/19, 9:14 PM
by kyrra on 11/12/19, 4:16 PM
by swedtrue on 11/12/19, 6:02 PM