Project Nightingale Rouses New Chorus of Concern About Data Privacy


As soon as health care professionals start to think they have the challenges of data privacy under control, new questions and concerns arise. This time around, they are flooding in due to a new partnership called Project Nightingale, which involves Google and Ascension, the nation’s second largest health care system. The initiative has security experts, practitioners, legislators, and consumers seriously wondering whether this is the new way to care for patient populations or if it’s time for stricter personal health information protection laws.

What is Project Nightingale?

In short, Project Nightingale is a data storage and processing project involving Google Cloud and Ascension, a health care system that encompasses 2,600 hospitals, physicians’ offices, and other facilities in 21 states. The program gives Google access to roughly 50 million patients’ complete health history, including lab results, diagnoses, and hospitalization records. The data is stored on an Ascension-owned virtual private space, and Google is not permitted to use the data for marketing or research purposes.

Google hopes to design software that leverages artificial intelligence technology and machine learning to make suggestions in patients’ treatment plans. Additionally, Google aims to create a search tool that would aggregate patient data into a central location.

Meanwhile, Ascension hopes to create tools for physicians to access patient information more quickly. “In order to empower our caregivers to provide safer, more effective and efficient care 24/7, we are testing point-of-care tools for our clinicians to quickly have access to more complete and specifically tailored patient data,” Eduardo Conrado, the vice president of strategy for Ascension, said in a statement. “In the delivery of these capabilities, our patients’ records will continue to be securely protected in this enhanced ecosystem just as they are today and will be used only as necessary by a limited number of experts in the development of these tools so that we can provide better healthcare to those we serve.”

This partnership sounds groundbreaking, but it isn’t exactly unique – Amazon, Microsoft, and Apple are also moving into the health care industry, and Project Nightingale was announced two months after Mayo Clinic agreed to a 10-year partnership with Google that includes a provision for the corporation to serve as the clinic’s designated cloud provider. Nonetheless, Project Nightingale is the largest of such efforts to date.

Sound the Alarm

A November 2019 Wall Street Journal article raised some questions about Project Nightingale, observing that physicians and patients within Ascension’s network had not been notified of the project and that 150 Google employees had access to the data that the company was collecting. While Google clarified that all employees who had access to the data had also completed a medical ethics training and were explicitly approved by Ascension, data privacy concerns remained.

The U.S. Department of Health and Human Services’ Office of Civil Rights has opened an investigation into the partnership as well. At the same time, several legislators have issued statements expressing their concerns about Project Nightingale. The House Energy and Commerce Committee recently sent letters to both Google and Ascension, stating that the partnership “raises serious privacy concerns” and expressing doubts about Google’s track record when it comes to protecting consumer data.

Despite the hesitation felt by many people in the health care industry, Project Nightingale is perfectly legal and HIPAA-complaint. What’s more, collecting and using patient data to identify trends and improve outcomes is a key component of value-based care. The two companies signed a HIPAA business associate agreement that would enable Ascension to transfer patient data to Google Cloud while barring Google from using that data for any purposes other than providing services to Ascension. In exchange, Ascension can access any software or services that Google develops, such as a search tool that integrates into the electronic health record platform and collects all protected health information in one location.

The Future of Big Data in Health Care

At the end of the day, Project Nightingale will not be the only initiative that challenges our understanding and perception of how the worlds of big data and health care can merge safely and effectively. It is just one of the first significant examples, quickly reminding us how much people fear the potential of the unknown. However, if it is executed correctly, the value it can provide on a macro level will make it a litmus test for similar partnerships in the future.

All this activity is ultimately leading to more discussions about data privacy and HIPAA as well. And in many ways, that’s a good thing. We can never underestimate the importance of privacy when it comes to quality care. Patients should always feel comfortable sharing their health data with their practitioners, providers, and health plans. Otherwise, they may risk their long-term well-being by keeping critical details to themselves.

Looking forward, as population health is prioritized by payors and clinicians, more and more health technology companies are likely to turn to cloud services to capture, analyze, and share data more effectively. And as this trend continues to unfold, we all need to decide what role we want to play as physicians, facilities, software developers, and regulatory experts. It is up to us to dig into our research and ask thoughtful questions to arrive at a carefully crafted stance on the issue. Doing the work now is the only we can be at all prepared for the future.

We’re interested in hearing your thoughts on Project Nightingale and the intersection of big data and health care. Does it meet the needs of the marketplace or is it too high a price to pay?


Leave a Reply