Earlier this month, the Wall Street Journal reported that 150 Google employees had access to data on tens of millions of patients without their knowledge. CNBC later reported, and the companies confirmed, that they had signed an industry-standard agreement that allows for some sharing of protected health information under the current health privacy rules, known as HIPAA, but forbids either company from using that data for any purpose but to provide patient care.The intention for the project was to develop tools for Ascension's clinicians to more easily search the medical record, and it was part of a larger deal for Ascension to move to Google cloud and its G Suite of productivity apps.But policymakers remain unconvinced by Google's stated intentions, and have asked for briefings by December 6 on exactly how the information is being stored in Google's cloud.
"Despite the sensitivity of the information collected through Project Nightingale, reports indicate that employees across Google, including at its parent company, have access to, and the ability to download, the personal health information of Ascension's patients," the letter reads.Google, in a blog post and Q&A, acknowledged that some employees did have access to the information but stressed that it did not use the data for advertising purposes. The company has not disclosed anything further, and its internal health experts including its chief health officer Karen DeSalvo and vice president of health David Feinberg have stayed mum on the matter.The disagreement comes as Google makes aggressive strides into the $3.5 trillion health sector, recently agreeing to acquire fitness tracker company and announcing a deal with Mayo Clinic. The medical industry is notoriously sensitive when it comes to privacy and security, and Google faces an uphill battle to prove that it can be trusted when it makes the bulk of its money through advertising, which relies on extensive use of customer data.
The Wall Street Journal’s Rob Copeland wrote that the data amassed in the program includes “lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, complete with patient names and dates of birth,” and that as many as 150 Google employees may have had access to the data.
Whether the company broke the law or not, some health privacy experts have called for a review of the policies under HIPAA that allow for companies to share health data without informing patients. There are loopholes that allow for health providers to not notify patients that they've shared their data. Others say that such data-sharing programs are commonplace in the medical industry, but Google is getting scrutinized to a far greater degree in part because the company is not trusted by the public.
A spokesperson from Google did not immediately return a request for comment.Follow @CNBCtech on Twitter for the latest tech industry news.