Google has used contract swaps to get bulk access terms to NHS patient data

New Scientist has obtained a legal agreement between Google’s health division and the UK National Health Service (NHS) that includes provision to pass five years’ worth of patient data in bulk as part of a contract novation process.

If you’re feeling a sense of deja vu that’s quite right: Back in 2016 it emerged — also via New Scientist Freedom of Information request — that Alphabet-owned DeepMind, acquired by Google in 2014, had received a bulk patient data injection from a London NHS Trust.

The revelation that vast numbers of NHS patients records (around 1.6 million in that case) had quietly been passed to a Google-owned company led to a lengthy regulatory investigation and, finally in 2017, a finding that the Royal Free NHS Trust had breached UK law when it passed patient data to DeepMind for the development of an alerts app called Streams.

But despite the finding of no legal basis for data to be shared during the app’s development, DeepMind continued inking agreements with NHS Trusts.

It also went on an aggressive PR offensive — holding meetings with patients, publishing its contracts with NHS Trusts (albeit with redactions), and establishing an independent oversight board to scrutinize its health division.

These DeepMind-appointed reviewers went on to warn about the risk of the company being able to exert excessive monopoly power as a result of the streaming data-access infrastructure it was contractually bundling with the Streams app.

And then last year a bombshell announcement: DeepMind’s health unit would be folded into Google — as part of a business reorganization instructed by their shared parent, Alphabet. The controversial takeover was completed last month. So for DeepMind then read Google now.

The move made DeepMind’s years of protestations during the data governance scandal — when it had claimed repeatedly that patient data would never be shared with Google — entirely worthless. UK citizens’ medical records are now headed directly for Google’s servers.

Three years on and it’s as if nothing much has changed except the order of names. Regardless of a regulatory slap-down and pointed guidance from the UK’s National Data Guardian on the use of patient data for app development.

Taunton and Somerset NHS Foundation Trust — one of the trusts that signed a five-year contract with DeepMind for Streams — has inked a new contract with Google which includes the same provision for “active” patient data to be passed in bulk.

This is a curious backwards twist given the Trust is what’s known as a ‘global digital exemplar’ (GDE), meaning it’s received extra government funding to fund digital best practice in areas such as information sharing in order to create a model for digital transformation that other trusts can follow. Which includes, in its case, developing open APIs using an international standard for data interoperability between healthcare systems known as a FHIR (aka: Fast Healthcare Interoperability Resources).

DeepMind, meanwhile, bundled the licensing of an FHIR API into its Streams contracts with Trusts — meaning it would own the underlying delivery architecture for data-dependent digital services as well as the Streams app itself. And the new contract Taunton has inked with Google covers the same ground, with clauses pertaining to the design and development of the FHIR API for Streams.

It also includes an unredacted section specifying that this FHIR API, now provided by Google Health UK, will act as the gateway via which third party app makers (initially on iOS) can gain access to “relevant Trust data”.

But with commercial sections of the contract redacted it’s not clear whether Google will charge developers for API access. When we asked DeepMind’s founder about that point back in 2016 Mustafa Suleyman told us he “didn’t know”. (Google did not respond to a question now about Streams commercial terms.)

Its novated contract with Taunton includes provision for sending five years’ worth of historical encounter and diagnostic information on patients, as well as the electronic patient record database in bulk.

We asked the Trust why the contract includes provision to pass patient data in bulk now it has its own FHIR APIs readily available. A spokesman told us it’s because “back in 2016 when we signed the contract we weren’t a GDE so didn’t have access to FHIR” — adding that “we would have needed to cancel the contract and renegotiate, whereas we have novated it like for like”.

Yet one NHS Trust, Yeovil, chose not to novate its contract from DeepMind to Google — having never having rolled out the Streams app. So, in Taunton’s case, it’s not entirely clear why it went ahead and novated.

Its spokesman confirmed to us it hasn’t rolled out Streams either.  Nor does it have any plan to do so at this time, he said.

But a Google spokeswomen told us the Trust has an agreement with Google Health to explore what she couched as future collaborations on ways which mobile tools could support its digital priorities.

Taunton’s spokesman suggested that if the Trust were to move forward with Google on developing digital healthcare apps that made use of the bulk patient data provisions in the novated contract it would seek to consult with patients beforehand. But the contract terms do already provide for access to patient data.

The spokesman suggested the Trust is viewing maintaining a contractual relationship with Google-DeepMind as an “opportunity”. Though it’s not clear whether it risks being contractually bound to Google as sole FHIR API provider for any third party digital healthcare apps. Or whether it could use its own FHIR infrastructure to open up to outside innovation despite having inked this agreement with Google. (We’ve asked the Trust for technical and legal clarification of that.)

Taunton also sent us this statement, attributed to David Shannon, its director of strategic development:

No patient data is currently shared between Taunton and Somerset NHS Foundation Trust and Deepmind or Google Health, nor are we using any Google Health applications.  If we were to work with DeepMind or Google Health on any digital innovations to support patient care in the future, the work would be led by clinicians and we would engage openly and transparently with our patients. When we signed the contract with DeepMind in 2016 we did not have FHIR infrastructure but we are now a Global Digital Exemplar and would use the most appropriate, secure technology available to us.

We contacted the UK’s data protection watchdog, the ICO, for a reaction to confirmation that the novated contract provides for bulk data to be passed to Google — and a spokesperson pointed us to a statement it issued earlier this month, when it said: “Although the ICO cannot approve the steps taken to mitigate any additional risks to personal data as a result of contractual changes, we have been regularly updated on these changes and have made the organisations aware of their obligations under data protection law.”

In July the regulator also posted an update on its Royal Free Streams app investigation, writing then:

… ahead of the transfer of Streams from DeepMind to the new Google Health Unit, the ICO has made it clear to controllers using the Streams service that they will need to have the appropriate legal documentation in place to ensure their processing is in line with the requirements of the GDPR [General Data Protection Regulation]. Organisations must assure themselves and document how they have taken appropriate steps to mitigate data protection risks beyond contractual obligations and the obligation on Google Health under data protection law, such as audits, reports and other appropriate measures.

As we’ve said, Google’s contract with Taunton is redacted to remove all details about commercial terms so it’s not clear what terms are being attached to potential future work on Streams/an FHIR API for third parties. Although DeepMind had been offering the Streams bundle free to Trusts for the first five years, with payments only kicking in if its service support costs exceeded £15,000 a month. So presumably the terms remain the same for the duration of the original contract term.

Taunton’s bulk data provisions in the new contract with Google define “active” patients — which is the only type of patients whose data can be passed, per its stated terms — as “(1) Patients with open elective pathways; (2) Patients with emergency admission pathways with unscheduled pending activity; (3) Patients with emergency admissions within 6 months prior to the point of transfer (i.e.) before Streams go-live;”.

Sam Smith, coordinator at health data privacy advocacy group MedConfidential, argues this is a contradictory definition for a one-off upload. Or else will entail a huge amount of work for the hospital which he says also won’t help for patients who don’t meet the ‘active patients’ definition the day before the export but will the day after.

“These deals show just how little has changed for one of the most controversial NHS data projects of the last half decade,” he said in a statement. “Despite the deal with the Royal Free being ruled unlawful, Trusts have now signed contracts to hand Google five years of patients’ data from over a dozen hospitals — and won’t even say how much they’re being paid.

“If this is the sort of deal that [UK prime minister] Boris Johnson is going to encourage, then it’ll be catastrophic for public trust. Patients must know what is happening to their data, and be able to see exactly what sort of deals are being done to get it.”

Unlike DeepMind, which was on the defensive back foot throughout 2016-17 following the Royal Free data governance scandal, Google Health has not committed to publish its contracts with NHS trusts.

So far its other contracts with NHS Trusts have not been released into the public domain. Though, presumably, if they have all been novated in the same way they’ll contain identical terms as were agreed with DeepMind.

Google has also disbanded the independent oversight board that DeepMind had established, claiming it’s not the right structure to oversee Google Health’s global focus. So there’s been a marked reduction in the level of transparency around what’s being done with patient data as contracts have moved over to the tech giant. Which hardly looks good from a patient trust point of view.

One thing is clear: Google’s ambitions for its now enlarged health division include seeking to apply artificial intelligence to health data for predictive and diagnostic purposes. This was also the intent of AI specialist DeepMind, which had early plans to reuse the Royal Free patient data for training AIs, though it claimed to have stepped back from doing so — once it realized additional regulatory clearances would be required.

This July, just prior to handing off its health division to Google, DeepMind and Google scientists published a research paper in which they detailed a deep learning model for continuously predicting the future likelihood of a patient developing a life-threatening condition called acute kidney injury (AKI). The same condition the Streams app currently uses an NHS algorithm to generate alerts for.

DeepMind claimed the AI AKI model supports faster intervention, describing it as its “biggest healthcare research breakthrough to date”. However the model was trained using U.S. patient data from the Department of Veteran Affairs that skews overwhelmingly male: 93.6%. So there are major caveats about how the AI model could be safely applied to other less skewed, more diverse populations.

Google’s contract with Taunton states that patient data (should the company actually get any) can only be used for direct patient care purposes — so not for developing any software.

Nor, we must presume, for developing any AI models. Additional regulatory approvals would be required for such an experimental purpose which clearly would not fall under a ‘direct patient care’ umbrella.

At the same time the contract sketches the clearest picture yet of what Google has in mind with Streams: An app that’s already evolved in scope from a mobile wrapper for NHS algorithmic alerts to a broader task management and alerts app served via a Google-owned streaming FHIR API.

In a section of contract definitions, the “Streams: Task Management” software is defined as “a clinical task management and text based messaging platform provided in the form of a mobile software application”; while the “Streams: Mobile platform” is defined as a Class I non-measuring medical device provided in the form of a mobile app that can currently assess the real-time detection of AKI — and “which is extensible generally to (i) patient safety alerts, and (ii) real time detection and decision support to support treatment and avert clinical deterioration across a range of diagnoses and organ systems, including any new releases and/or new versions (including, without limitation, releases to include the development of functionality for vital signs entry and viewing and other aspects as set out in the Roadmap) provided as part of the Support Services”.

Within those broad parameters there is clearly scope for Streams to become the wrapper for delivering AI-powered alerts and decision support to clinicians at the hospital bedside.

Though — in the UK at least — there is a question mark over how Google could push AI down its FHIR pipe unless it can gain advance access to the necessary population-level data in order to train relevant AI models.

After all, it’s the NHS, not Google, which holds that sensitive personal information in trust for patients.

And as Sir John Bell said , after penning the UK government’s review of the life sciences sector a couple of years ago: “What Google’s doing in [other sectors], we’ve got an equivalent unique position in the health space. Most of the value is the data. The worst thing we could do is give it away for free.”