Four Democratic leaders on Monday wrote to Google and the hospital network Ascension Health asking for more information about how patient health data is being used and shared under a recent business arrangement.
The letters, which were addressed to the chief executives of both companies, noted that there are still open questions about Google's commitment to patient privacy. House Energy and Commerce Committee Chairman Frank Pallone Jr., along with members Anna Eshoo, Diana DeGette and Jan Schakowsky, called the agreement "disturbing" and noted that concerns have "justifiably" been raised about the hospital chain's decision not to notify its patients before moving ahead with its partnership. They requested a briefing by Dec. 6 to learn more about the data-sharing deal.
Earlier this month, the Wall Street Journal reported that 150 Google employees had access to data on tens of millions of patients without their knowledge. CNBC later reported, and the companies confirmed, that they had signed an industry-standard agreement that allows for some sharing of protected health information under the current health privacy rules, known as HIPAA, but forbids either company from using that data for any purpose but to provide patient care.
The intention for the project was to develop tools for Ascension's clinicians to more easily search the medical record, and it was part of a larger deal for Ascension to move to Google cloud and its G Suite of productivity apps.
But policymakers remain unconvinced by Google's stated intentions, and have asked for briefings by December 6 on exactly how the information is being stored in Google's cloud.
"Despite the sensitivity of the information collected through Project Nightingale, reports indicate that employees across Google, including at its parent company, have access to, and the ability to download, the personal health information of Ascension's patients," the letter reads.
Google, in a blog post and Q&A, acknowledged that some employees did have access to the information but stressed that it did not use the data for advertising purposes. The company has not disclosed anything further, and its internal health experts including its chief health officer Karen DeSalvo and vice president of health David Feinberg have stayed mum on the matter.
The disagreement comes as Google makes aggressive strides into the $3.5 trillion health sector, recently agreeing to acquire fitness tracker company and announcing a deal with Mayo Clinic. The medical industry is notoriously sensitive when it comes to privacy and security, and Google faces an uphill battle to prove that it can be trusted when it makes the bulk of its money through advertising, which relies on extensive use of customer data.
Whether the company broke the law or not, some health privacy experts have called for a review of the policies under HIPAA that allow for companies to share health data without informing patients. There are loopholes that allow for health providers to not notify patients that they've shared their data. Others say that such data-sharing programs are commonplace in the medical industry, but Google is getting scrutinized to a far greater degree in part because the company is not trusted by the public.
A spokesperson from Google did not immediately return a request for comment.