Fraud Management & Cybercrime , Governance & Risk Management , HIPAA/HITECH
Court Dismisses Privacy Case Against Google, Medical CenterBut Judge Opens the Door to Filing an Amended Complaint
A federal judge has dismissed a lawsuit filed last year against Google and the University of Chicago Medicine involving complex privacy and other issues related to the use of patients’ de-identified electronic health record data. But the court left the door open to filing an amended complaint.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
”The case was dismissed solely on procedural grounds,” says privacy and security attorney Paul Hales, principal of law firm Hales Law Group, who was not involved in the case. “According to the opinion, the complaint failed to state a legal claim for which the court could give them a remedy or grant relief.”
The opinion, he says, “is carefully worded and thoughtfully reviews controversial splits of opinion between different federal circuit courts on important points of law that apply to this case. Plaintiffs have the opportunity to cure the reasons for which their case was dismissed by filing an amended complaint.”
The Sept. 4 ruling gives the plaintiff until Oct. 15 to file an amended complaint.
“The plaintiffs cleared a critical hurdle when the U. S. District Court found it has ‘subject matter jurisdiction’ in this case involving alleged violations of their health information privacy rights in this case,” Hales adds.
An attorney representing lead plaintiff Matt Dinerstein – a former patient of the University of Chicago Medical Center - did not immediately respond to Information Security Media Group’s request for comment, nor did Google or University of Chicago Medicine.
The lawsuit seeking class action status, which was filed in June 2019 and amended in October 2019, asserts that patient EHRs were not properly de-identified by the University of Chicago Medical Center before they were shared without patient consent with Google to support the company's predictive medical data analytics technology development efforts (see: Can Patient Data be Truly Identified for Research?).
The lawsuit notes that in 2017, the University of Chicago Medical Center and Google began a research partnership in which they used machine-learning techniques to create predictive health models aimed at reducing hospital readmissions and anticipating future medical events.
As part of the research, the medical center disclosed to Google the “de-identified” electronic health records of all adult patients treated at its hospital from Jan. 1, 2010, through June 30, 2016, court documents note.
Dinerstein, the plaintiff, was an inpatient at the medical center in June 2015, and he brought the suit on behalf of all patients whose medical information was disclosed for the research effort.
The medical center and Google had also both filed motions to dismiss the case (see: Google, Medical Center Ask Court to Dismiss Privacy Lawsuit).
The amended complaint filed in the lawsuit in October 2019 said that a study published in 2018 about the Google and University of Chicago Medical Center research project noted that the EHR data the medical center provided to Google included the “dates of service” as well as “free-text medical notes.”
That amended complaint alleged that disclosing such information was a violation of HIPAA. “These records were not sufficiently anonymized, and therefore put patient privacy at risk,” the complaint contended.
“According to the amended complaint, whatever process was used to redact these notes was not properly audited or independently verified. Plaintiff suggests that the risk of re-identification was in fact substantial because of the information Google already possesses about individuals through the other services it provides,” the judge noted in the order to dismiss.
“Plaintiff alleges that the combination of such geolocation information and the EHRs, which include the date and time of hospital services, ‘creates a perfect formulation of data points for Google to identify who the patients in those records really are,’” the judge noted.
But the judge added: “The amended complaint does not allege that Google has in fact used its extensive data to re-identify any EHRs. While plaintiff charges the university with disclosing de-identified information, such as patient demographics and diagnoses, as well as date stamps and free-text notes, plaintiff also claims this information was not sufficiently anonymized.”
For many persons, disclosure of insufficiently anonymized health records is more invasive and disturbing than disclosure of credit records or fingerprints, the judge states. “In any case, the court is skeptical that the gravity of the information disclosed is what matters for standing … so the invasion of Mr. Dinerstein’s privacy depends not on the magnitude of the harm but the fact that this private right was invaded at all.”
The order to dismiss notes that plaintiffs acknowledged in the amended complaint that neither HIPAA nor the Illinois Medical Patient Rights Act provide a private right of action - the right to sue for violation of a regulation. “However, Dinerstein asserts the wrongful disclosure of his private information - a violation of his own rights.”
In the lawsuit, the plaintiff argues that Google or the university would have agreed to pay him a royalty if they had negotiated in good faith for his medical records. The plaintiff also argues that the university owes him a reasonable royalty for the use of his protected health information. But in dismissing the case, the judge disagreed.
”A royalty is normally appropriate only for interference with a property right … [and] plaintiff has not plausibly alleged that he has any such right in his PHI,” the judge’s order says.
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., who was not involved in the lawsuit, disagrees with the judge’s assessment of PHI ownership in the dismissal.
“Who are we fooling by pretending PHI is not property?” he asks. “The question … is not whether a patient has property rights in PHI, but whether those rights are adequately protected.”
Teppler adds that to address the issue of a "reasonable royalty" for patient PHI, "an expert declaration directed to the value of health information - which is routinely bought and sold - would be helpful."
The privacy lawsuit calls attention to the importance of reviewing the terms of research contracts.
”Healthcare providers and researchers should carefully review the language of all contracts and HIPAA data use agreements concerning the sharing of protected health information, particularly with regard to methods of de-identification of PHI and terms that could be construed as a ‘sale of PHI’,” Hales notes.
”Law has not caught up with technology that threatens personal privacy. Here, plaintiffs are forced to make creative use of laws that were passed before technology that can mine data was even developed.”
The plaintiff’s privacy worries in this case “echo the widespread public policy debates about the power of technology, big tech companies and nation state IT theft,” Hales says.
”This opinion will not end this case even though the legal underpinnings of the case are soft. It likely will be appealed to the Seventh Circuit that may ultimately allow evidence to support the plaintiffs’ claims.”