yesAndrea PetersonNone
×

Get access to Protocol

I’ve already subscribed

Will be used in accordance with our Privacy Policy

Politics

Verily's COVID-19 website becomes a health data privacy battleground

"These tools can be a helpful part of the solution during our ongoing public health emergency, but patient privacy shouldn't be sacrificed as a result," said Sen. Mark Warner.

San Mateo COVID-19 testing site

Verily's COVID-19 screening website, which helps determine whether users should go to a coronavirus testing location, has raised health data privacy concerns.

Photo: Justin Sullivan/Getty Images

Verily's COVID-19 screening website has prompted the latest dispute between Alphabet and policymakers over protecting health data.

Even as the tech giant has raced to help triage the crisis, lawmakers contacted by Protocol expressed concern about how the data the website collects might end up being used commercially and whether Verily is complying with privacy laws. More broadly, there's concern, shared by some experts, that the health privacy legislation that exists doesn't adequately account for how health data has evolved with new technology.

On Tuesday, a group of senators led by Bob Menendez, D-N.J., sent a letter to Verily asking for more details about what the company plans to do with data collected as part of its response to COVID-19. It's the second such letter the company has received from lawmakers regarding the site.

"First and foremost, all the data to be collected in this pilot program or any other related screening websites should remain confidential and must not be used for any commercial purposes in the future, and Verily should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA)," the lawmakers wrote.

The letter also argues that people "interested in accessing SARS-CoV-2 screening websites should not be required to create or sign in to a Google account (or any other email account) to access this critical health resource."

Asked about Verily's COVID-19 screening effort, Sen. Mark Warner, D-Va., told Protocol that he plans to fight for health data privacy provisions in the next economic stimulus package, which lawmakers are just beginning to negotiate.

"While technology can certainly help improve screening and potential contact tracing in some cases, I have serious concerns that certain companies are using this as an excuse to hoover up sensitive health data," Warner said. "I sought unsuccessfully to include health data privacy provisions in the 'COVID-3' legislation and hope that subsequent legislation will contain these important protections."

"These tools can be a helpful part of the solution during our ongoing public health emergency, but patient privacy shouldn't be sacrificed as a result," he said.

Verily launched a pilot site that helps people determine if people in parts of the Bay Area should seek COVID-19 testing last month. The pilot site immediately drew scrutiny from lawmakers, who quickly reached out to Alphabet with questions a few weeks ago.

Verily tried to assuage concerns in a response from CEO Andrew Conrad dated March 26, provided to Protocol by Menendez's office. People were required to use Google accounts to sign in because it "was built on Verily's preexisting Baseline platform to secure health information, and needed a reliable and secure means of user authentication for its site," Conrad wrote.

Google "does not have access to the data beyond its role to provide infrastructure, security services, data storage, website hosting, and other support functions," he wrote, saying that the company would be prohibited from using the information for commercial purposes or selling it to third parties.

However, that doesn't go far enough for Patient Privacy Rights founder Deborah Peel. Under the current setup, there's no oversight to prove that the company isn't using the data for commercial purposes or selling it to third parties, she told Protocol in an email.

The questions point to larger, industry-wide issues about just what is protected under current health privacy laws, particularly the oft-cited HIPAA.

"One critical distinction the policymakers are already thinking about is not everything for which … there should be health privacy protection is necessarily protected by HIPAA," said Leon Rodriguez, a health privacy lawyer who previously served as the director of the office of civil rights at the Department of Health and Human Services.

Conrad did not directly respond to a question about the site's HIPAA compliance; instead, in a long paragraph, he highlighted how the Baseline platform the COVID-19 site relies on "was built to securely manage personal health information and designed to follow applicable federal and state regulations governing the collection and use of an individual's data."

"Their answer is very wishy-washy," a Menendez aide told Protocol, describing why the second letter asked about HIPAA again.

"It'd be better if they just came out and said, 'We don't think HIPAA applies to us,' and then we could have a conversation about … maybe it should, or maybe it does and you're not complying."

"HIPAA's supposed to protect your personal health care information," the aide said, adding that if Verily answered the question point-blank, "then we can have a conversation … and that would inform our policy decisions."

The Baseline program's FAQ page explicitly says it is HIPAA compliant, but the FAQ for the COVID-19 site does not mention the law, instead saying that "Project Baseline follows federal and state regulations governing the collection and use of an individual's data" and information is stored "in advanced systems with security and privacy protocols."

Verily did not respond to an inquiry about HIPAA compliance for the COVID-19 site.

University of Virginia law professor Margaret Riley told Protocol in an email that Verily may not be a "covered entity" under HIPAA. Covered entities are typically health care providers, health plans or health information clearinghouses that are subject to specific privacy and security rules under HIPAA and must give users certain rights related to their health information.

Still, Riley said, "[Verily] does seem to have relationships with covered entities," which means there are likely business agreements that address data protection.

"Verily has informed consent/privacy agreements with the individuals who participate," Riley added. "Those seem to meet HIPAA requirements even if those HIPAA requirements are not technically applicable."

Peel argued that patients essentially lack substantive privacy rights to electronic health data even under HIPAA's current status quo due to a rules change made in 2002, which rescinded consent requirements for data transfer.

HIPAA now "guarantees that the data holders can do whatever they want with our health data," she told Protocol.

Google has long wrestled with how HIPAA applies to its work. In the first iteration of Google Health, a medical data project launched in 2008 and shuttered in 2012, the company was explicit that HIPAA did not apply.

"Google is not a 'covered entity' under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder ('HIPAA')," the terms of the program stated. "As a result, HIPAA does not apply to the transmission of health information by Google to any third party."

In 2013, facing the questions raised as large tech companies including Google and Amazon partnered with health providers to store data in the cloud, the Department of Health and Human Services issued new rules that bound cloud vendors to more oversight under HIPAA. The arrangement today mainly leaves the onus on Google's business associates to certify their HIPAA compliance.

Even before this pandemic, Alphabet's more recent health-related ventures raised eyebrows on Capitol Hill, especially last November after reports that the company would gain access to millions of people's health records through a partnership with health care provider Ascension. The Department of Health and Human Services' Office for Civil Rights is also investigating the arrangement.

Also last year, Sens. Amy Klobouchar, D-Minn., and Lisa Murkowski, R-Alaska, introduced the Protecting Personal Health Data Act, which would require the Department of Health and Human Services to work with the Federal Trade Commission to issue new rules about health data.

Verily isn't the only tech company building screening tools to fight the coronavirus crisis, and concerns about health privacy are likely to extend beyond Alphabet amid the outbreak.


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


For example, Menendez's office told Protocol it's looking into Apple's recently launched a screening website that allows users to list their symptoms to see if they need to get tested. The landing page for Apple's tool pledges "Apple is not collecting your answers from the screening tool … The information collected will not personally identify you."

In response to a request for comment, Apple pointed Protocol to its original announcement, which specifies that the website does not require any "sign-in or association with a user's Apple ID."

Microsoft wants to replace artists with AI

Better Zoom calls, simpler email attachments, smart iPhone cases and other patents from Big Tech.

Turning your stories into images.

Image: USPTO/Microsoft

Hello and welcome to 2021! The Big Tech patent roundup is back, after a short vacation and … all the things … that happened between the start of the year and now. It seems the tradition of tech companies filing weird and wonderful patents has carried into the new year; there are some real gems from the last few weeks. Microsoft is trying to outsource all creative endeavors to AI; Apple wants to make seat belts less annoying; and Amazon wants to cut down on some of the recyclable waste that its own success has inevitably created.

And remember: The big tech companies file all kinds of crazy patents for things, and though most never amount to anything, some end up defining the future.

Keep Reading Show less
Mike Murphy

Mike Murphy ( @mcwm) is the director of special projects at Protocol, focusing on the industries being rapidly upended by technology and the companies disrupting incumbents. Previously, Mike was the technology editor at Quartz, where he frequently wrote on robotics, artificial intelligence, and consumer electronics.

People

Google's union has big goals — and big roadblocks

Absence of dues, retaliation fears and small numbers could pose problems for the union's dream of collective bargaining, but Googlers are undeterred.

Recruiting union members beyond the early adopters has had its challenges.

Photo: David Paul Morris/Getty Images

When the Alphabet Workers Union launched with more than 200 Googlers at the beginning of the year, it saw a quick flood of new sign-ups, nearly quadrupling membership over a few weeks. But even with the more than 710 members it now represents, the union still stands for just a tiny fraction of Google's more than 200,000 North American employees and contractors. The broader Alphabet workforce could prove difficult to win over, which is a hurdle that could stand in the way of the group's long-term ambitions for substantive culture change and even collective bargaining.

The initial boom of interest from Googlers was thrilling for Alex Peterson, a software engineer and union spokesperson. "It's really reinvigorating what it means to actually be a community of Googlers, which is something that's been eroding over the past four or five years, or even longer."

Keep Reading Show less
Anna Kramer

Anna Kramer is a reporter at Protocol (@ anna_c_kramer), where she helps write and produce Source Code, Protocol's daily newsletter. Prior to joining the team, she covered tech and small business for the San Francisco Chronicle and privacy for Bloomberg Law. She is a recent graduate of Brown University, where she studied International Relations and Arabic and wrote her senior thesis about surveillance tools and technological development in the Middle East.

The current state-of-the-art quantum computers are a tangle of wires. And that can't be the case in the future.

Photo: IBM Research

The iconic image of quantum computing is the "Google chandelier," with its hundreds of intricately arranged copper wires descending like the tendrils of a metallic jellyfish. It's a grand and impressive device, but in that tangle of wires lurks a big problem.

"If you're thinking about the long-term prospects of quantum computing, that image should be just terrifying," Jim Clarke, the director of quantum hardware at Intel, told Protocol.

Keep Reading Show less
Dan Garisto
Dan Garisto is a freelance science journalist who specializes in the physical sciences, with an emphasis on particle physics. He has an undergraduate degree in physics and is based in New York.
Election 2020

Google says it’s fighting election lies, but its ads fund them

A new report finds that more than 1,600 brands, from Disney to Procter & Gamble, have advertisements running on sites that push pro-Trump conspiracy theories. The majority of those ads are served by Google.

Google is the most dominant player in programmatic advertising, but it has a spotty record enforcing rules for publishers.

Photo: Alex Tai/Getty Images

Shortly after November's presidential election, a story appeared on the website of far-right personality Charlie Kirk, claiming that 10,000 dead people had returned mail-in ballots in Michigan. But after publishing, a correction appeared at the top of the story, completely debunking the misleading headline, which remains, months later, unchanged.

"We are not aware of a single confirmed case showing that a ballot was actually cast on behalf of a deceased individual," the correction, which quoted Michigan election officials, read.

Keep Reading Show less
Issie Lapowsky
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
People

Google’s productivity guru has some advice for you

Here's how Laura Mae Martin helps Google's top execs work smarter.

Laura Mae Martin, Google's executive productivity adviser, works one-on-one with the company's top brass.

Image: Google

If productivity were a product at Google, then Laura Mae Martin would be its product manager.

She's Google's executive productivity adviser, a job she created following a successful 20% project about managing inboxes that she debuted while working in keyword sales. As the company's top expert on productivity, her remit seems simple enough: Make Googlers more efficient in their day-to-day work lives. But in practice, that means working directly with the top executives of a trillion-dollar company to make some of tech's most sought-after talent better at what they do.

Keep Reading Show less
Kevin McAllister

Kevin McAllister ( @k__mcallister) is an associate editor at Protocol, leading the development of Braintrust. Prior to joining the team, he was a rankings data reporter at The Wall Street Journal, where he oversaw structured data projects for the Journal's strategy team.

Latest Stories