Get new exclusive access to healthcare business reports & breaking news
Despite the existence of the 1996 Health Insurance Portability and Accountability Act (HIPAA), its complexity and shortcomings often raise confusion on where and how it should be applied in the healthcare sector. HIPAA protects the privacy and security of patient health information in both physical and electronic formats. It urges compliance from healthcare facilities, insurance companies, and other similar firms that may have access to protected patient data in the course of their work.
Because the safeguards to data security and protection are far from perfect, there have been a few cases of patient information breaches, with some resulting in costly settlements. One of the more famous cases was lodged against technology giant Google and UChicago Medical Center in 2019. In 2020, Judge Rebecca Pallmeyer, US District Court, Northern District of Illinois Eastern Division, decided to junk the case, holding that the complainant failed to establish that damages were incurred as a consequence of patient information sharing.
Here’s a look back on the salient points of the complaint, with a quick overview of the lawsuit.
Four years ago, Google announced it has partnered with UChicago Medicine to look for ways to utilize machine learning for more appropriate predictions to a patient’s health. The tech company has also made similar partnerships with other entities, such as Stanford Medicine and the University of California.
In order to come up with better projections, the research is to use medical records that had been ‘de-identified.’ This means specific data had been removed from the electronic health records so the records no longer carry personally identifiable data, in order to comply with security rules.
The learning institution’s medical arm has apparently developed its own algorithm, called eCART, which is being used to predict cardiac arrest in adult patients. The partnership aims to expand on these works, with Google finding ways to make some tweaks and make the core of this program applicable to the healthcare sector, through a better predictive analysis using artificial intelligence.
By definition, personally identifiable data are any type of information that, when used alone or in conjunction with other data, can help identify a person. They can be classified as direct identifiers, such as a person’s phone number and social security number, and quasi-identifiers, like an individual’s race and gender.
According to HIPAA Exams, a patient’s name, identifiable numbers, home address, and contact numbers should be protected at all times. Protection also extends to information relating to a person’s economic status and medical history.
In June 2019, a class action was initiated by Matt Dinerstein against UChicago and Google based on allegations of questionable data-sharing practices. Dinerstein was a former patient of UChicago Medical Center who was admitted on two occasions in June of 2015.
It was alleged in the complaint that the partnership between UChicago and Google violated HIPAA, which requires healthcare entities to limit those who can view, access, or share patient data. Under the partnership, UChicago allegedly shared thousands of de-identified patient information with Google to help improve the tech giant’s predictive analytics. These data included timestamps for dates of admission and discharge, along with clinician notes. The complaint claimed the nonremoval of the dates violated HIPAA rules as they may still be used by Google to establish patients’ identities using other software.
Based on HIPAA, the complaint accused UChicago to have breached its privacy contract with its patients because of failing to keep patient data ‘private and confidential.’ By allowing Google to obtain access to patients’ electronic health records, the partnership between UChicago and Google was alleged to be in violation of patient privacy rights protected under HIPAA.
Furthermore, UChicago was accused of consumer fraud and deceptive business practices for disclosing patient confidential information to Google. As claimed in the complaint, plaintiff Dinerstein has never expressly consented to the sharing of his information for financial gains.
Under HIPAA, healthcare facilities are allowed to share patient records as long as the information is ‘de-identified’ or stripped of personally identifiable information (PII) or data. Apart from names and social security numbers, PII may also include admission and discharge dates.
The University of Chicago denied the allegations and said the claims presented in the lawsuit are ‘without merit,’ insisting the institution has complied with the laws and regulations applicable to patient privacy. It claimed the partnership followed the same procedures done by Google’s other partners, Stanford University and the University of California, San Francisco, in obtaining electronic health records.
Two months following the filing of the lawsuit, UChicago Medicine and Google filed a motion to dismiss the case. The entities insisted they complied with HIPAA data-sharing procedures and the patient had not demonstrated any evidence that they were harmed by the defendants’ action.
The tech company insisted it followed HIPAA guidelines, which allow the sharing of patient information even without explicit consent in specific instances, particularly research. Google spokesperson Jose Castaneda was quoted as saying the company believes its ‘health care research could help save lives in the future’ and insists they ‘take privacy seriously and follow all relevant rules and regulations in our handling of health data.’
Google published a paper in 2018 entitled ‘Scalable and Accurate Deep Learning for Electronic Health Records,’ where it indicated that electronic health record data were culled from patients at the University of Chicago Medicine from 2009 to 2016. Demographics, medical procedures, diagnoses, medications, and other information were included, but specific PII was removed per the company.
Unfortunately for Edelson PC and Dinerstein, Judge Pallmeyer, on September 2020, dismissed the case, stating the plaintiff failed to prove to the court that damages were incurred as a result of the partnership’s actions. In the ruling, the judge explained that the complainant had not adequately alleged that UChicago’s claimed breach of contract brought him economic damages.
Additionally, the judge rejected Dinerstein’s claims that the medical records in question have economic value and were passed on to another entity without his consent. The plaintiff failed to provide evidence that Google misused the information it obtained from UChicago or made attempts to identify the patients. Ultimately, based on the court’s ruling, a patient needs to demonstrate that the value of their medical information has been reduced due to the privacy breach.
As early as 2005, stakeholders from various sectors have expressed concerns over the inadequacies of HIPAA—which was first drafted in 1996 and has had various revisions since then—in the current setting. A survey on the adequacy of HIPAA’s privacy rule, published by the New York University, points out that the plain language notice of privacy practices is not enough to meet the goals of protecting all person’s private health data.
A commentary published on Bill of Health, an online platform managed by Petri-Flom Center of Harvard Law School, said that ‘without a clear method to demonstrate damages, contract-based health privacy claims are likely to fail.’ This is in reaction to the judge’s ruling requiring patients to demonstrate the value of their medical records.
The article went on to explain the deficiencies of contract law in upholding patient privacy. Dinerstein insisted he signed a privacy contract with the academic hospital upon admission. The court held that despite the breach of privacy contract, the complainant was not able to present the damage it had caused him.
Technology companies may be able to reidentify patients even if their records have been stripped off of personally identifiable data, as alleged by Dinerstein. According to him, the data passed on to Google by the UChicago Medical Center had no patient names but had little information that can be used by the search engine company to reidentify patients, along with the database the firm has in its hands. The judge, however, opined that HIPAA allows the use of medical records for research purposes as long as specific personal identifiers were removed.
Before the Dinerstein case, Google’s parent company, Alphabet, formed an artificial-intelligence-focused research group named DeepMind, which was accused of patient privacy breaches when it partnered with the United Kingdom’s National Health Service to process medical information for research.
The Dinerstein decision is a success for Google, which is being scrutinized also for a similar alliance with a nonprofit healthcare system, Ascension. Lawmakers are demanding both parties to divulge additional information about the type of information Ascension has shared to the tech company, whether patients were informed about the partnership, and whether they can easily decide to be excluded from data sharing.
Technology is a powerful tool, and it can be used to improve the healthcare sector by leaps and bounds. In order to develop diagnostic and predictive algorithms, a system must be fed with vast information from electronic records. These records are the very same sets of information that medical institutions have committed to protect.
Unlike the other successful cases, the Dinerstein case shows HIPAA may not be able to provide umbrella protection for patients who find that their privacy rights are not adequately safeguarded. For this, the federal government may need to step in to ensure that additional privacy protection measures are in place.