UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data.

Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared.

Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is sufficiently low.

The lawsuit alleges UCMC failed to remove all the necessary information from the data prior to it being shared with Google. In addition to the dates and times when patients checked in/out of hospital, the lawsuit alleges “copious free-text notes” were also shared with Google.

The time stamps place each patient at the hospital at a specific time, which places patient privacy at risk. The lawsuit alleges the inclusion of time stamps violates the provisions of the safe harbor de-identification method and that UCMC did not obtain consent from patients to share their data with Google.

The main issue is Google already stores vast quantities of user data from its “prolific data mining” activities and that the tech giant is in a position where it could identify all individuals from the medical records provided by UCMC.

The lawsuit even goes as far as to suggest the collaboration between the medical center and the hospital is an attempt to “pull off what is likely the greatest heist of consumer medical records in history.”

Last week, UCMC and Google filed motions to have the lawsuit dismissed. The defendants claim that a secure process was employed to de-identify patient data and that the process was fully compliant with HIPAA Rules. Further, Google argues that the plaintiff and other class members do not allege Google has used its data to re-identify patients, only that the company has the capability of doing so. Consequently, no injury has been sustained as a result of the sharing of information and even if an injury had been sustained, the case should be dismissed as there is no private right of action under HIPAA.

The defendants also argue that the definition of the intrusion provided by the plaintiffs does not fall under HIPAA as each patient voluntarily provided their medical information to the medical center. Instead, it falls under the Consumer Fraud and Deceptive Business Practices Act.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.