By Camille Stecker

Ascension is one of the country’s largest nonprofit health systems, based in St. Louis, with about 2,500 facilities in operation in over nearly two dozen states. Ascension is a Catholic health ministry that envisions “a strong, vibrant Catholic health ministry in the United States which will lead to the transformation of healthcare” through committed service and well-being to their communities. As a nonprofit health system, Ascension provided “nearly $2 billion in care” for people living in poverty and provided for other community benefit programs in 2018. Ascension is dedicated to transforming healthcare through innovation, which is the reason for the nonprofit’s new partnership with Google.

Google confirmed the new partnership is a “business arrangement to help a provider with the latest technology.” Therefore, Google will help Ascension integrate its different areas of health data into the Cloud. However, Google’s partnership is more than introducing the largest nonprofit health system to new technological advances, but the two major companies are working together “to analyze patient data and give health care providers new insights and suggestions for patient care.”

The main question is not if Ascension is following its mission of committed service for the well-being of its communities through its new partnership with Google, but if both major companies are following patient policy regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Google put out a statement that it is helping Ascension, similar to previous work with other healthcare providers, by providing the latest technology. Google helps healthcare providers manage their patient data “under strict privacy and security standards.”

The first focus is shifting Ascension’s infrastructure to the Cloud. As the healthcare environment and the digital world evolve, so must healthcare providers in order to provide the best service for patients. Therefore, the goal of this transition is to modernize Ascension. The major nonprofit health system will access their own data on the private and secure Google Cloud. The second focus is “[u]sing G suit productivity tools.” This will allow real-time communication and collaboration between Ascension employees. Finally, Google will extend tools to Ascension doctors and nurses with the goal of improving care. This element includes the possibility of “artificial intelligence/ machine learning applications,” which will improve clinical quality and patient safety.

Since Google and Ascension have three goals for their partnership, the big question is if they are subject to HIPPA. According to HIPAA, both companies are covered entities since Ascension is a healthcare provider and Google is a business partner of Ascension’s. Therefore, both companies are subject to the HIPPA Privacy Rule, which requires protecting “sensitive patient health information from being disclosed without the patient’s consent or knowledge.” Neither Google nor Ascension stated the specifics of how they are following HIPAA and it is unclear if they have consent or knowledge from Ascension’s patients.

However, the major goal of HIPPA’s privacy rule is to protect sensitive information but to also promote “high quality” health care. Even though Google and Ascension have three big goals that all include providing high-quality care for patients, the two companies are still required to follow HIPPA. The purpose of HIPPA is to have a balance between important and effective use of patients’ information while also protecting and securing the patient’s private information. Since Google and Ascension began their partnership over 150 Google employees have access to patient data without patient consent or knowledge which is in violation of HIPPA. However, Google did state that they are not using patient data for any other purposes than those established in the agreement and are not combining Ascension’s patient data with Google customer data.

Also, Google and Ascension not only have to follow the HIPPA Privacy Rule, but also the HIPPA Security Rule, which protects a subset of the information under the Privacy Rule. The information covered under the Security Rule includes “all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form.” HIPPA does not have a strict rule for covered entities to follow, except to use professional ethics and best judgment when disclosing information. For now, it is unclear if Ascension is using their best judgment and following their professional ethics in their partnership with Google.

Although there are still a lot of unanswered questions, Google assured everyone in their statement that none of the work done with Ascension is in active clinical practice, but rather in the early stages of testing. Unfortunately, this does not clear up the question if Google and Ascension are following patient policy regulations under HIPAA.

Student Bio: Camille Stecker is currently a second-year law student at Suffolk University Law School. She is a staffer for the Journal of High Technology Law. Prior to law school, Camille received a Bachelor of Arts Degree in English and a Master of Arts in English Language and Literature from St. Mary’s University in San Antonio, Texas.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.