Google’s researchers apparently didn’t obtain HIPAA releases from patients.

Recently, Google has made some stunning stumbles as it moves into the realm of handling healthcare data. 

First, this is surprising, considering the growing distrust among the public and regulators of platforms like Google and Facebook. Second, and more surprisingly, it seems Google failed to make sure it brought people to the projects who understood HIPAA.

On Nov. 11, Ascension announced on its website:

“Ascension, one of the nation’s leading non-profit health systems, is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients, and clinical providers across the continuum of care.”

“The Ascension-Google collaboration will include:    

• Modernizing Ascension’s infrastructure by transitioning to the secure, reliable, and intelligent Google Cloud Platform. Key elements of this work will focus on network and system connectivity, data integration, privacy and security, and compliance.
• Transitioning to Google’s G Suite productivity and collaboration tools. Using G Suite will enhance Ascension associates’ ability to communicate and collaborate securely in real-time, supporting interdisciplinary care and operations teams across Ascension sites of care.
• Exploring artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”

Just days later, Google was apparently caught off-guard by what would have been one of the largest HIPAA violations in the history of HIPAA (the Health Insurance Portability and Accountability Act).

On Nov. 15, two days before Google was set to publicly post more than 100,000 images of human chest X-rays, they got a call from the National Institutes of Health (NIH), which had provided the images: and NIH noted that some of them contained details that could be used to identify the patients.

Google canceled the project. This is based on emails reviewed by The Washington Post and an interview with a person familiar with the matter, who spoke on the condition of anonymity to Washington Post reporters.

Stunningly, it appears that Google’s researchers didn’t obtain HIPAA releases from patients. They had rushed ahead without any thought of compliance issues. These assertions were apparently documented in emails the Washington Post obtained from a Freedom of Information Act request.

Considering our current political environment, in this election cycle, it would be very surprising to see regulators taking up privacy concerns like this one with Google. My question is, would you trust your medical records to the same people who don’t care if their subscribers running for elected office post fake political ads?