The US Department of Health and Human Services has launched an inquiry into Google's partnership with giant US Catholic healthcare non-profit Ascension.
The healthcare deal is a major win for Google's cloud business, Google Cloud, but it has immediately raised concerns over the level of access Google will have to patient data.
Ascension, a faith-based healthcare provider, operates 2,600 healthcare centers, including 150 hospitals and 50 aged care centers, across 20 states and DC.
SEE: 60 ways to get the most value from your big data initiatives (free PDF)
The Wall Street Journal earlier this week reported that Ascension will be sharing complete patient health records, including lab results, diagnoses, and hospitalization records – as well as patient names and dates of birth – with Google.
The healthcare data on tens of millions of patients can reportedly be accessed by 150 Google employees under what the two organizations call Project Nightingale.
News of the deal has caught the attention of Department of Health and Human Services' Office for Civil Rights.
The regulator told the paper on Tuesday that it had launched an investigation that "will seek to learn more information about this mass collection of individuals' medical records to ensure that [the Health Insurance Portability and Accountability Act of 1996 or HIPAA] protections were fully implemented".
HIPAA is the US federal law governing the security and privacy of certain medical information. HIPAA allows hospitals to share data with business partners, without gaining the consent of patients or doctors, if it's for the purpose of improving healthcare services.
Google Cloud, which announced the deal on Monday, has now updated its blogpost with an FAQ about the arrangement.
Google says Project Nightingale is nothing more than a codename that Ascension and Google are using for the project. The code name is probably a nod to Florence Nightingale, a 19th century equivalent of today's data scientist who pioneered statistical methods during the Crimean War of the 1850s to improve hygiene and healthcare at hospitals.
Google says the deal is not a secret and that Google CEO Sundar Pichai flagged its partnership with Ascension in its Q2 earnings call in July. Pichai was informing investors about Google Cloud wins using artificial intelligence and machine learning to tackle the healthcare sector, which AWS and Microsoft are also targeting with cloud-based AI products.
"Google Cloud's AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes," Pichai said.
Google contends that the partnership with Ascension is compliant with HIPAA rules.
"We believe Google's work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and comes with strict guidance on data privacy, security, and usage," Google said in its FAQ.
And it offered a few points about how it's ensuring the privacy of patient data uploaded by Ascension to Google Cloud.
SEE: Google forges cloud, data deal with major US health organization
Google notes that the data is "logically siloed", meaning it is not kept on physically separate servers but "housed within a virtual private space and encrypted with dedicated keys".
AWS has previously argued its case for logical separation being superior to physical separation as part of its compliance with the US Department of Defense's requirement for physical separation in the cloud.
Google emphasizes that the data is not used to sell ads. "Patient data remains in that secure environment and is not used for any other purpose than servicing the product on behalf of Ascension. Specifically, any Ascension data under this agreement will not be used to sell ads."
It's also keeping logs of anyone who accesses Ascension data and says the systems Google Cloud is using for the Ascension partnership are subject to external audits for compliance with ISO 27001 certification.
According to Google, Ascension approved Google employees to handle health data because the data is "very complex and non-standardized", which means "we need to configure and tune our processing systems to ensure correct product operations and patient safety".