Recently, many people were surprised by a Wall Street Journal report announcing tech giant Google was working with Ascension, the nation’s second-largest healthcare system. While some patients were flabbergasted by the possibility that their personal medical data could be transferred to a third-party, others wondered the legality of the practice as a whole.
As a medical provider, it is important to fully comprehend why this partnership could change how we handle medical data and what it means to your patients individually. After all, many might ask you questions about how you’re handling their private information at your clinic, and you want to be prepared for these types of inquiries. Here are a few things you need to know about Google’s partnership with Ascension and how it affects medical privacy laws.
What is Project Nightingale?
Project Nightingale is the code name for the under-the-radar partnership between Google and Ascension. Essentially, the medical data of tens of millions of patients within the healthcare system was voluntarily given to the tech company last year in a so-called effort to improve patient care.
According to sources, the project is designed to help create a software platform for Ascension that can suggest individualized treatment plans, tests, and procedures utilizing artificial intelligence (AI) features. Google is reportedly doing the work for free in an effort to create a system that could later be sold to other healthcare systems or marketed as an option for smaller clinics and practices.
In the long run, this could mean big changes for healthcare as a whole. As we start to incorporate these high levels of technology, the ability to treat patients in a much more comprehensive manner becomes easier and more effective. Essentially, the benefits garnered from this type of technological advance could ultimately lead to earlier detection and save lives on a larger scope. Which, as we all know, is why medical providers do what they do in the first place.
How the Partnership Falls Under HIPPA Compliance
The scope and breadth of Project Nightingale have consumer protection advocates alarmed. The truth of the matter is that everything about this Ascension and Google partnership is completely legal. Why? Because the project is being done free of charge and as a business partnership, it is considered legal under current patient privacy laws.
In fact, HIPPA allows medical providers to share patient data with business associates as long as there’s a specific reason. For example, sharing patient information with a third-party billing provider or a medical data cloud software system is completely within the legal boundaries. And this is where Project Nightingale falls in place.
With all of that said, you might be surprised to learn that the same laws that allow this to happen are the same ones that give you the ability to work with a third-party business partner to outsource certain administrative tasks, such as billing.
What This Means for Your Clinic and Patients
So, what does this all mean for your clinic and patients? At this point, nothing unless public outcry requires an additional push for clarification of data sharing with business associates in HIPPA regulations. While we haven’t seen anything as large as Project Nightingale in the past, the truth is providers have shared patient data with third-party vendors for years and that isn’t likely to change anytime soon.
If patients ask about the sharing of data, it is important to reiterate that what Google and Ascension are doing is fully within the boundaries of medical privacy laws. However, take time to answer any questions they have about how your particular practice protects sensitive information and your dedication to keeping their personal details safe.
Best Practices for Working with a Third-Party Business Partner
That said, it’s also vital to utilize a few best practices should you opt to work with a third-party business partner for your practice. A few great tips include:
- Ask questions about the company’s track record for data security. Have they ever had a breach that had to be addressed with patients? Do they have a plan for ongoing periodic assessments of data security?
- Have a plan for the transfer of all sensitive patient information. Sometimes critical information is important for the third-party associate to have access to in order for them to get their job done. That’s why it is important to have a plan for this. Will the associate simply login to an existing electronic health record system or is there a transfer of information via cloud or email that must take place?
- Determine how the company’s employees have access to data and what they are able to do with it. Many personal information breaches happen at a lower level, such as an employee leaving a screen open while they run to the break room for a cup of coffee. Understanding your third-party partner’s plan for helping employees keep data safe is essential.
The bottom line? If you’re concerned about privacy laws and patient information, it is vital that you communicate clearly with your third-party associate. Make sure to ask plenty of questions about how they operate and any specific steps they take to remain in compliance. Remember, should a data breach occur, these are your patients and you could be on the hook for fines or loss of patient trust.
M-Scribe and Patient Data
Of course, M-Scribe takes patient privacy very seriously. As a leading medical billing provider, we typically don’t have access to a great deal of sensitive information, such as chart notes or test results. But the data we do have access to is kept securely and never sold or transferred to another organization. In addition, we take many precautions to ensure the information we do encounter is secure.
Are you ready to learn more about how M-Scribe Medical Billing Services can help you reduce billing errors while keeping your data safe? Our team is ready to answer any questions you might have. Please give us a call at 770-666-0470 for more information.