Google office

Earlier this week, the Wall Street Journal reported that Google had struck a deal with the U.S.-based health system Ascension that gives the search giant access to the personal health information of millions of Americans.

While the arrangement may come equipped with a code name—Project Nightingale—and give more than 150 Google employees access to data such as patient names, lab results, hospitalization records and doctor diagnoses, it could actually wind up being pretty run of the mill as far as the Health Insurance Portability and Accountability Act (HIPAA) is concerned.

Of bigger concern may be the wider implications for laws surrounding patient consent and disclosure notifications, which may have to be reexamined as a growing list of tech companies that includes Microsoft and Amazon continue venturing into the medical industry.

"What you might see is there are more specific obligations to record disclosures and to provide patients about more specific notice about who is getting their information," said Tatiana Melnik, an attorney and founder of Melnik Legal.

According to the Wall Street Journal, patients have not been alerted that Google has access to their personal health information, but neither notification or de-identification of data is actually required within the context of what HIPAA defines as a "business associate agreement."

Elek Miller, an attorney with Drummond Woodsum, said that the parameters governing how the data included in such an arrangement is used largely comes down to the individual terms hammered out between the health care provider and the business associate it's engaging.

"Generally speaking, under that agreement a business associate can largely make uses and disclosures of protected health information that the covered entity itself could make under the privacy rule," Miller said.

The Wall Street Journal noted that Google is using the personal health information to develop AI and machine learning powered software that can "suggest changes" to an individual patient's care.

Per Matthew Fisher, partner with Mirick, O'Connell, DeMallie & Lougee, similar relationships between other health systems and tech consulting companies are not uncommon since data is necessary in order to fuel the development of analytic tools.

"In terms of arrangements like this, they are happening every single day," Fisher said.

But commonality doesn't always equate to comfort. For instance, The Guardian published a report about an anonymous Project Nightingale whistleblower who posted a video to Daily Motion containing images of confidential documents from the initiative. Annotations ran over the documents suggesting that Google could share the data with a third party or use it to create patient profiles used to advertise health care products.

However, HIPAA does provide some latitude for data sharing in the event that Google were to share the personal health information in question with a subcontractor while pursuing the terms of its original business agreement with Ascension.

Using that data for advertising purposes is a murkier proposition. Fisher thinks that an attempt by Google to leverage that information towards its own benefit would likely trip over marketing regulations absent patient or individual authorization. However, ads based upon services offered by Ascension may get a pass.

"While most marketing activities require authorization, there are certain limited activities such as advising individuals of services already offered by a [HIPAA] covered entity that are permissible without authorization," Fisher said.

But the name "Google" is always going to draw eyeballs and likely some concerns given the ongoing national conversation around privacy. The Wall Street Journal reported Tuesday that the Department of Health and Human Services' Office for Civil Rights had opened an inquiry into Project Nightingale "to ensure that HIPAA protections were fully implemented."

With other big names like Amazon and Microsoft wading further into the medical field, could there be a crackdown on data sharing restrictions?

Melnik of Melnik Legal actually thinks that the trend could move in the opposite direction, citing a push that's emerged over the last few years to loosen existing restraints on data sharing to provide more direct and on-demand health care services.

She does, however, believe there's a chance that more recourse is put in place for patients to hold companies or health systems accountable when their data is improperly handled since HIPAA doesn't include a private right of action.

"If you have patients that have an actual recourse, that gives companies more incentives to comply [with regulations]," Melnik said.