Privacy concerns raised about Google's HCA Healthcare patient data deal

What happened

HCA Healthcare, a major US hospital chain, entered into a partnership with Google Cloud that allowed the tech giant access to patient records from over 180 hospitals and 2,000 healthcare sites. 

The collaboration aimed to enhance operational efficiencies and develop algorithms for patient monitoring and medical decision-making.

However, similar to Google’s Project Nightingale, privacy advocates raised concerns that sensitive patient data could be monetised or misused by the technology company, despite the data having been anonymised.

Concerns were also expressed about the security of patient data, given a spate of high-profile ransomware attacks in the months leading up to the announcement of the deal. 

US healthcare privacy laws permit hospitals to share information with suppliers, and allow researchers to analyse patient data without their permission. Healthcare companies can then use that information however they want.

Why it happened

Part of a broader digital transformation strategy within HCA Healthcare that intends to improve clinical workflows and patient care through data analytics, the partnership was initiated to leverage HCA's extensive data from approximately 32 million annual patient encounters to create advanced decision support tools for healthcare providers. 

However, Google's business model and seemingly insatiable appetite for personal data to feed its various businesses, notably search engine advertising, raised concerns about what it would do with highly sensitive third-party health data.

Furthermore, existing US healthcare privacy laws permit such data sharing under certain conditions, leading to concerns about the adequacy of these regulations in protecting patient privacy.