A massive, secret data-sharing agreement that Google and health system Ascension entered into last year without explicit consent from patients and clinicians is arousing alarm from privacy advocates.

The fact that it may all be perfectly legal suggests that current privacy laws don't guard against data sharing practices that most people find just plain creepy.

“There’s a disconnect between the laws we have created as a nation and our expectations of what those laws mean," Megan Doerr, principal scientist at Sage Bionetworks, who developed informed consent materials for NIH's All of Us research program, told POLITICO on Tuesday. "We expect things to be secret and they aren’t."

Addressing the “ick factor" — uses of data that aren't illegal, but arouse discomfort — could be a difficult task for lawmakers, regulators and businesses attempting to set guidelines for health data sharing. Privacy legislation, including bills that address health information, has failed to move forward in Congress this session.

Google and Ascension's partnership, called Project Nightingale, lets the tech giant analyze tens of millions of patient records, including names, lab results, diagnoses and other elements of medical history, according to a Wall Street Journal report. Google later claimed the arrangement was legal, and Ascension asserted that Google's analyses could help clinicians predict patients' needs and treat them accordingly.

A Guardian story said a whistleblower from inside the arrangement leaked the deal out of concerns that it was violating patients' rights to informed consent and privacy.

But the Google-Ascension deal appears to be similar to many business associate agreements that allow health systems to share data with contractors that support their internal operations. Google is also working with the Mayo Clinic on diagnostic tools guided by artificial intelligence. Microsoft and the Cleveland Clinic have for years partnered to predict and monitor patients' health conditions.

HIPAA doesn't require — nor is it common practice for — health care providers to obtain explicit and separate consent from patients to share data with non-health care contractors, said Deven McGraw, who served as the lead privacy officer at HHS's Office for Civil Rights from 2015 to 2017. Requiring explicit consent from patients to share data with each company would "basically shut down health care," she said.

Having said that, health systems should be more transparent about their partnerships with large tech companies, she added. Public mistrust of tech has been growing in recent months, and the big tech companies are expanding their involvement in health care in ways that are not always as transparent as providers and patients might want or expect.

While Google mentioned its partnership in a recent earnings call, according to a blog post, Ascension and Google only published releases detailing the scope of the agreement following the Journal report Monday. It's a mistake not to talk about such deals, McGraw said.

“People don’t like to be surprised about what happens with their health data and it’s unfortunate," she said. "They've missed an opportunity to build trust."

The use of health data is governed by a complicated patchwork of privacy regulations that isn't often clear to patients. Under HIPAA, most business associate agreements allow the contractor to use identifiable data only to aid the the health care system's internal operations, but many allow contractors to use deidentified data for their own purposes, McGraw said.

Google Cloud's president of industry products and solutions, Tariq Shaukat, said in the blog post that Ascension's data won't be used for "any other purpose than for providing these services we’re offering under the agreement." However, he didn't say just what is in the agreement, and Google spokespersons didn't respond to requests for more information. CNBC reported that some Ascension employees were concerned that not all of Google's tools complied with HIPAA.

Until privacy laws are changed to align with people's expectations of what can be done with their data, "We need to educate so people know that gap is there, so they can navigate it," Doerr said. "But until we change the rules, people need to be informed about where that gap is."

Congress is grappling with how to cover that gap. Several members have introduced federal privacy bills this session, though most focus on consumer data and leave HIPAA — which covers providers, insurers and their business associates — untouched. Only one bill, the Protecting Personal Health Data Act, S. 1842 (116), from Sens. Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska), explicitly addresses health data gathered by consumer apps outside the traditional health system and therefore not covered by HIPAA.

Such data is likely to explode once HHS interoperability rules are released within the next few months.

Google and Ascension's partnership "isn’t the only one that raises serious privacy concerns," Klobuchar stated in response to a POLITICO query. Health tracking apps, the use of data from wearable devices, home DNA testing kits and other consumer devices have "very few rules of the road in place regulating how it is collected and used."

HHS is also reexamining federal privacy law. Last year, it issued a request for information on ways HIPAA could be modified to better facilitate care.

Mark Rothstein, a bioethicist at the University of Louisville School of Medicine, pointed out that Google researchers are reportedly able to view patients' names under the agreement. Asked why he thought the company didn't anonymize that information, he said it was "easier, cheaper, and they haven’t thought that privacy is something they need to protect.”