The coming fight over who controls digital health data

Spending for consumer digital healthcare companies is set to explode in the next few years; the Office of the National Coordinator for Health Information Technology is currently reviewing the requirements for data sharing with the Department of Health and Human Services, and their initiatives will unlock a wave of data access never before seen in the U.S. healthcare system.

Already, startups and large technology companies are jockeying for position over how to leverage this access and take advantage of new sensor technologies that provide unprecedented windows into patient health.

Venture capital investors are expected to invest roughly $50 billion in approximately 4,500 startups in the healthcare industry, according to data from CB Insights. In all, there have been 3,409 investments made in the healthcare market through the third quarter of 2019, with 31% of those deals done in what CB Insights identifies as digital health companies.

The explosion of data is unprecedented and already companies like Apple and Google are jockeying for control over how that data will be served up to healthcare practitioners and patients.

Chart courtesy of CB Insights

Apple and Google are setting out two divergent paths for handling patient data. For patient advocates, there’s a clear winner, and as startups look to play in these emerging ecosystems, it’s what the patient wants that may matter most.

The second that this data hits those shiny Silicon Valley apps, instead of being under HIPAA that’s covered, you become a user and you have no rights,” says one patient advocate. 

Last week, after reports in The Wall Street Journal and The New York Times, Google confirmed the details of a partnership with religiously-affiliated hospital and assisted living network, Ascension, a deal that involved the movement of millions of patient records into Google’s infrastructure.

The Alphabet subsidiary had first announced the agreement in its July earnings call, but the precise details of its work with the hospital records of Ascension patients were undisclosed until a more detailed description of the project was leaked by a whistleblower.

Google was not only moving patient records onto its cloud infrastructure, but was also developing tools to “help Ascension’s doctors and nurses more quickly and easily access relevant patient information, in a consolidated view,” the company confirmed in a blog post.

For the source of the Journal’s reporting, there were too many pieces of information about the project that both the Google engineers who were working on “Nightingale” and the doctors and patients in the Ascension healthcare system were kept in the dark about.

As the whistleblower wrote in a Guardian editorial late last week:

With a deal as sensitive as the transfer of the personal data of more than 50 million Americans to Google the oversight should be extensive. Every aspect needed to be pored over to ensure that it complied with federal rules controlling the confidential handling of protected health information under the 1996 HIPAA legislation.

Working with a team of 150 Google employees and 100 or so Ascension staff was eye-opening. But I kept being struck by how little context and information we were operating within.

What AI algorithms were at work in real time as the data was being transferred across from hospital groups to the search giant? What was Google planning to do with the data they were being given access to? No-one seemed to know.

Above all: why was the information being handed over in a form that had not been “de-identified” – the term the industry uses for removing all personal details so that a patient’s medical record could not be directly linked back to them? And why had no patients and doctors been told what was happening?

I was worried too about the security aspect of placing vast amounts of medical data in the digital cloud. Think about the recent hacks on banks or the 2013 data breach suffered by the retail giant Target – now imagine a similar event was inflicted on the healthcare data of millions.

Google insists that no patient data is being used to sell ads, or being coupled with either its own consumer data or data from other customers it may be working with in healthcare (a list that includes the Cleveland Clinic, Hunterdon Healthcare, and McKesson).

However, Google’s handling of patient data — through its own work with other partners and through DeepMind Health (a division of a Google spinout which the search giant recently acquired) — has been controversial.

In 2018, the search giant’s work with the U.K.’s National Health Service was criticized for not adhering to data governance standards and potentially breaking the law. And, earlier this year, Google was sued for allegedly mishandling patient data by including too much potentially identifiable patient information used in a study conducted by the University of Chicago Medical Center, Google, and the University of Chicago.

In each instance, Google insisted that it followed all appropriate regulations, but the problem that the company faces is growing concern from a new crop of lawmakers and concerned consumers that the regulations which exist on the books are no longer appropriate.

Technology is coming for healthcare data

The news of Google’s work with Ascension and the concerns it has raised among consumers is just one example of the company’s broader efforts to capture more of the multi-trillion dollar healthcare market.

Google kicked off November with a $2.1 billion bid for Fitbit — a deal that would potentially put an incredible amount of currently unregulated consumer health data squarely under the magnifying glass of Google’s mammoth data analysis tools.