Having said that, my job in the healthcare IT world is building interfaces, i.e. facilitating the transfer of health data from one system to another. Most likely what's going on here is Google and Ascension have a project together, and part of that project is either an interface or a data dump from Ascension to Google for the purposes stated in the article. I haven't read all the information, but generally the data will be "de-identified", which some interpret as sufficient to avoid HIPAA violations.

Neither company is small or ignorant; they both had their lawyers look at the contract and they signed off on it. So either the lawyers at both companies are mistaken or mislead, or somewhere after the initial scoping the scope changed (which, btw, happens all the time) and nobody updated legal or felt the need to update management or raise a concern

And that's concerning, regardless of which option it is. Either the legal teams at both companies are ill-informed or outright ignorant (perhaps intentionally), or there are no checks -- and no responsible project managers -- in place to prevent this from occurring. Somewhere along the line, someone should have suggested that this was perhaps not cool, and taken the issue up the chain of command. Most healthcare companies have a well established process in place for that, and I can't believe either of these would be different in that respect.