Google this week announced a partnership with Ascension—the second largest health system in the United States—as part of an effort to break into the health-care industry. Google plans to collect and mine the personal health data of some 50 million patients. Though both companies claim that they are compliant with Health Insurance Portability and Accountability Act (HIPAA) standards, the partnership drew criticism from the general public as well as regulators and lawmakers in Washington.
The Wall Street Journal reports that data is already being transferred to Google’s cloud without the prior knowledge of stakeholders, including patients and medical practitioners within the Ascension health-care system. Data will eventually be reviewed by artificial intelligence to determine the riskiness or effectiveness of given health-care routines and procedures. Though HIPAA permits health information to be distributed to partners without the consent of affected patients, concerns have been raised that Google won’t use the data strictly for HIPAA-permissible “health-care functions” and which Google employees will be able to view the data. In a blog post responding to the initial outcry, Google writes: “We have a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care. This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care. To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.”
Google’s deal with Ascension, dubbed “Project Nightingale,” comes only months after YouTube, owned by Google, was fined for unlawfully using data it obtained on children accessing its site to target advertising at them. Earlier this year, The New York Times reported that Google was fined in France under Europe’s new General Data Protection Regulation for poor public communication on the company’s user data collection and its use in personalizing ads.
Implications for Boards: Consumers are increasingly concerned about how their data is collected, used, and shared. Boards should be aware of what consumer data the company collects, how the company secures and uses that data, and what the legal and reputational liabilities are in the event that data is breached. In the event that the company partners with another company to realize long-term strategic goals, boards need to ascertain whether the partner company manages and secures data, and whether their practices are compliant with current regulations. In addition, if a data-collection venture stands to be highly controversial, the board may want to be apprised of the implications to its reputation and the company’s stakeholder communication plan.
Key Questions Directors Should Ask:
NACD Resources: The blog post "Responsible Privacy: Is the Board Doing Its Part?" details how boards can improve data oversight by asking the right questions, understanding the business purpose of data, and reviewing third parties to ensure they operate with the same privacy and compliance standards. Our Director FAQ, The Board’s Role in Data Privacy Oversight, provides an overview of the board’s duties in ensuring data privacy and helps directors test the strength of their data privacy programs. The NACD Director’s Handbook on Cyber-Risk Oversight focuses more on cybersecurity, but touches on legal implications related to cyber risks and how boards should work with management to better understand and structure cybersecurity processes.