This breadth of access wasn’t always spelled out by hospitals and tech giants when the deals were struck.
The scope of data sharing in these and other recently reported agreements reveals a powerful new role that hospitals play—as brokers to technology companies racing into the $3 trillion health-care sector. Rapid digitization of health records in recent years and privacy laws enabling companies to swap patient data have positioned hospitals as a primary arbiter of how such sensitive data is shared.
“Hospitals are massive containers of patient data,” said Lisa Bari, a consultant and former lead for health information technology for the Centers for Medicare and Medicaid Services Innovation Center.
Hospitals can share patient data as long as they follow federal privacy laws, which contain limited consumer protections, she said. “The data belongs to whoever has it.”
Microsoft and Providence, a Renton, Wash., hospital system with data for about 20 million patient visits a year, are developing cancer algorithms by using doctor’s notes in patient medical records. The notes haven’t been stripped of personally identifiable information, according to Providence.
And an agreement between IBM and Brigham and Women’s Hospital, in Boston, to jointly develop artificial intelligence allows the hospital to share personally identifiable data for specific requests, people involved in the agreement said—though so far the hospital hasn’t done so and has no current plans to do so, according to hospital and IBM officials.
Microsoft executive Peter Lee in July described how his company would use Providence patient data without identifying information for algorithm development. In a December statement, he said patients’ personal health data remains in Providence’s control and declined to comment further.
B.J. Moore, Providence’s chief information officer, said executives involved in that agreement at first planned to use data without information identifying patients; later they found they couldn’t remove it all from doctors’ notes. “It was not intended to mislead,” he said.
Brigham and Women’s announced a 10-year agreement with IBM in February 2019. David Westfall Bates, the hospital’s chief of general internal medicine and primary care, said last year that initial work would use data stripped of names and other identifying details. In December, Dr. Bates said he hasn’t publicly commented on IBM’s ability to access identifiable data but Brigham and Women’s would follow federal privacy rules should it do so.
“Responsible data stewardship is core to our mission,” an IBM spokeswoman said.
The Fred Hutchinson Cancer Research Center, in Seattle, granted certain Amazon Web Services employees access to health information that identifies individual patients, a Fred Hutchinson spokesman said. The Hutch, a research institution with ties to hospitals, trained and tested Amazon Web Services software designed to read medical notes.
An AWS spokeswoman said it doesn’t use personally identifiable data protected under federal privacy laws to develop or improve its services.
Digitizing patients’ medical histories, laboratory results and diagnoses has created a booming market in which tech giants are looking to store and crunch data, with potential for groundbreaking discoveries and lucrative products.
There is no indication of wrongdoing in the deals. Officials at the companies and hospitals say they have safeguards to protect patients. Hospitals control data, with privacy training and close tracking of tech employees with access, they said. Health data can’t be combined independently with other data by tech companies.
But recent revelations that Alphabet Inc.’s Google has the ability to tap personally identifiable medical data about patients, reported by The Wall Street Journal, has raised concerns among lawmakers, patients and doctors about privacy.
The Wall Street Journal also recently reported that Google has access to more records than first disclosed in a deal with the Mayo Clinic. Mayo officials say the deal allows the Rochester, Minn., hospital system to share personal information, though it has no current plans to do so. “It was not our intention to mislead the public,” said Cris Ross, Mayo’s chief information officer.
Dr. David Feinberg, head of Google Health, said Google is one of many companies with hospital agreements that allow the sharing of personally identifiable medical data to test products used in treatment and operations. The companies typically don’t disclose their use of such data, Dr. Feinberg said. “We didn’t hide it.”
Amazon, Google, IBM and Microsoft are vying for hospitals’ business in the cloud storage market in part by offering algorithms and technology features. To create and launch algorithms, tech companies are striking separate deals for access to medical-record data for research, development and product pilots.
The Health Insurance Portability and Accountability Act, or HIPAA, lets hospitals confidentially send data to business partners related to health insurance, medical devices and other services. The law requires hospitals to notify patients about health-data uses, but they don’t have to ask for permission.
Data that can identify patients—including name and Social Security number—can’t be shared unless such records are needed for treatment, payment or hospital operations. Deals with tech companies to develop apps and algorithms can fall under these broad umbrellas. Hospitals aren’t required to notify patients of specific deals.
“The patient doesn’t have absolute control. They don’t have much control,” said Ellen Wright Clayton, a Vanderbilt University biomedical ethics professor.
Under HIPAA, hospitals must divulge as little as possible about patients under agreements. But in some cases, the minimum amount needed by tech companies can be everything in patients’ records.
Ascension, a Catholic chain with 150 hospitals across 20 states and the District of Columbia, is testing whether Google’s technology can accurately search and retrieve all information for a single patient—a widely known challenge that frustrates doctors and patients.
“By definition this means that the ’minimum’ necessary dataset for the creation of this capability is the entire longitudinal health-care record” for each patient, said Eduardo Conrado, Ascension’s chief strategy and innovations officer.
Hospitals involved in the deals say data use is reviewed by research-ethics review boards or data-use committees, which can include compliance, law, tech, medicine and other experts.
Mayo’s data team will vet future data requests for projects with Google, probing how much data to share, said Mayo’s Lois Krahn, a data-team member. “We are a tremendously cautious and conservative organization,” she said.
Hospitals also stand to gain financially from some deals. Tech companies’ agreements with Providence, Mayo, and Brigham and Women’s include intellectual property rights for hospital contributions to new products.
Some hospitals are saying no to tech agreements.
“We’re not giving anyone data,” said Jim Beinlich, chief data information officer for Penn Medicine, the University of Pennsylvania health system. Penn Medicine halted a possible research pilot with Microsoft in response to public concern over Ascension’s Google deal. Hospital executives are drafting policies, such as how to tell patients about data sharing.
“We don’t have all the rules of the road written down,” he said.