>What about patient data? All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage. ... To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.
When there's an obvious breach, hopefully. How would we even know if Google were abusing this data though? Does anyone have access to it besides Google? Are we literally asking Google to regulate itself with this data?
EDIT: I guess I don't understand. Once we give Google the sensitive information, how do we have any way of knowing what they do with it? I'm guessing an audit on all of Google's data is out of the question.
The point of this article is that a whistleblower is saying "they're not controlling access properly".
While the Grauniad is trying to spin it to sound worse, the whole point is Google are providing data processing services to a valid HIPAA processor via Google Cloud, not that they nefariously bought the data to integrate it with the search results.
Much like health data stored on AWS with a dedicated internal project team could be accessed by "Amazon" staff. It's kinda the point, the google staff have been brought in to help manage the data.
Your point is valid, but I think there was a mis-read or mis-statement. The parent comment probably should have addressed the difficulty of enforcing such provisions.
> Does anybody enforce this or do we just take Google at their word?
Yes, the DHHS Office of Civil Rights enforces HIPAA Privacy and Security rules. That enforcement is reactive of there is no independent regular compliance certification or monitoring required, however, which is a weakness, but the fact that detection of violation can lead to personal as well as institutional penalties, and that those penalties are criminal as well as civil, means it's not a risk that decision-makers tend to be willing to take on just because it would (so long as undetected) provide a business opportunity.
They have the job of doing so for the whole healthcare industry; and certainly have the authority. Capability is a question I'm less comfortable answering, but I would say that I see no evidence that they have a Google-specific problem in that regard. There is definitely a lot that could be done to improve enforcement capacity in the health data privacy and security space, and that's definitely something that should be pursued independently of whether some firms choose Google as BA.
No you don’t, there are fines if you are found in violation but no one is checking on an ongoing basis. Specific entities may privately pay for audits or do so as part of certifications (HiTrust, etc) but that’s not required.
The dept of HHS requires any organization with HIPAA business associate status to regularly undergo audits.
Can you fly under the radar and potentially get away with not doing it? Of course, anything is possible. Could a multibillion dollar internet organization beholden to shareholders and under public scrutiny get away with it? Not likely.
>The dept of HHS requires any organization with HIPAA business associate status to regularly undergo audits.
Can you provide a link to this requirement? The HIPAA/HITECH laws provide no requirements for an external audit (and self-audits aren't actually audits) and the HHS, as far as I know, only does small sample random audits unless a complaint was made.
>What about patient data? All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage. ... To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.
reply