Well-known physicians Robert Wachter, M.D. and Christine K. Cassel, M.D. have penned an opinion piece in the JAMA Network online publication. On January 16, they authored “Sharing Health Care Data With Digital Giants: “Overcoming Obstacles and Reaping Benefits While Protecting Patients.” Dr. Wachter is chairman of the Department of Medicine at UCSF Health in San Francisco, and is very well-known as the author of the 2015 book The Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine’s Computer Age. Dr. Cassel spent years as president and CEO of the National Quality Forum, and is now planning dean of the new Kaiser Permanente School of Medicine.
As Drs. Wachter and Cassel write, “In November 2019, The Wall Street Journal revealed that Ascension, a large nonprofit Catholic health system with facilities in 23 states, had allied with Google to share data about millions of patients, under the code name “Project Nightingale.” The goal was to store patient information in Google’s cloud, then apply machine-learning technology to deliver recommendations or predictions to clinicians and administrators at Ascension. Presumably, Google also hoped to gain insights and build products that could ultimately be scaled and monetized. While the stated objective (improving the quality and efficiency of care) was noble, the response to the partnership was obscured in its own cloud of mistrust in Google’s announced commitment to keep these data private and separate from the company’s other data and also of questions regarding the propriety of health care organizations sharing patient data with companies. After the story became public and federal regulators announced their intent to investigate the arrangement, leaders at both organizations issued statements defending the deal.”
As the doctors note, “This was not the first time that data-sharing arrangements between health care delivery organizations and digital companies has generated public controversy. A partnership announced in 2016 between Google subsidiary DeepMind and England’s Royal Free NHS Trust raised concerns, as did a Google collaboration with University of California San Francisco, Stanford University, and the University of Chicago, announced in 2017. The latter case led to a lawsuit against the University of Chicago and Google, recently discussed by Cohen and Mello.4 They noted that these data-sharing arrangements illustrate the need to modernize the Health Insurance Portability and Accountability Act (HIPAA), which they suggested is “a 20th-century statute ill equipped to address 21st-century data practices.”
Further, they say, “Although the arrangement between Google and Ascension appears to comply with HIPAA and other relevant regulations, the concerns illustrate how fraught such data-sharing arrangements between health care delivery organizations and large digital companies can be and highlight the need for new standards that allow society to leverage the opportunities that technology offers patients while ensuring privacy.”
The doctors have several important recommendations, including:
Ø The ever-present threat of hacking requires that “data collected by healthcare systems be stored in industrial-strength off-site clouds rather than in on-site servers.”
Ø Second, that artificial intelligence and machine learning have the potential to improve patient outcomes and lower costs, but, “The problem is that few hospitals and clinics can afford the equipment and experts needed to apply these techniques to their clinical data.”
Ø They strongly advocate for transparency, which they call “crucial.” They note that “The response to and perception of the arrangement between Ascension and Google might have been different had information about the arrangement come to light through a public announcement explaining the potential benefits and addressing potential concerns.”
Ø Further, patients “have a right to participate in discussions about how their data will be used.”
Ø And, they note, “The issue of identified vs. deidentified data is central. Healthcare professionals need to be able to securely store data that includes relevant patient information in the clouds of digital companies. But for arrangements in which such companies are analyzing the data for research purposes or to create new products, the information they receive should be stripped of all elements that could identify an individual patient.”
Drs. Wachter and Cassel are careful in their opinion article not to close off what they see as positive potential uses for data collection and data sharing that could bring benefits to patients. But they also frame everything cautiously and thoughtfully. As they note in their conclusion, “An important concern about the public reaction to health care data sharing, as illustrated by the Ascension-Google case, is that such arrangements will be made illegal, or that the political fallout will cause risk-averse health care organizations to eschew them. While some might see this as a positive outcome,” they write, “ultimately it could prevent patients and clinicians from realizing improvements in quality, safety, convenience, and efficiency that will be facilitated by intelligently created and ethically delivered artificial intelligence and machine learning. Health care needs the help of digital experts and technologies but also needs clear regulations and ethical standards to ensure that inappropriate data sharing is precluded, that useful data sharing is facilitated, and that patients’ personal health information is protected.”