On June 26, a University of Chicago Medical Center (UCMC) patient filed legal action against UCMC and Google with regards to an alleged privacy violation involving the disclosure of protected health information (PHI) without de-identifying the information first.
Google is developing its predictive medical data analytics technology that is patient data was shared with Google. HIPAA does not stop information sharing with third parties like technology firms, as long as consent is secured from patients before sharing the information.
As an alternative, healthcare companies are allowed to share patient data as long as it is de-identified. The HIPAA requires taking away 18 identifiers to make sure patients are not identifiable. Healthcare companies may use any of the two procedures for de-identifying PHI: the safe harbor or expert determination method. The first method involves removing all 18 identifiers from PHI, while the second needs an expert to use recognized statistical and scientific principles for identifying the risk of patients getting re-identified until it is adequately low.
The lawsuit claims UCMC did not remove all the required identifiers from the data before sharing it with Google. Besides the dates and times when the patients got hospital services, the lawsuit states there were also copious free-text notes disclosed to Google.
The timestamps provide the specific time a patient was at the hospital, which puts patient privacy at stake. The lawsuit claims that including timestamps is a violation of the terms of the safe harbor de-identification method. Also, UCMC did not acquire patient consent before sharing the information with Google.
The key issue is Google already retains substantial quantities of user information through its “prolific data mining” activities and it is capable of identifying all persons from the healthcare records given by UCMC.
The lawsuit also implies that there was a collaboration between the hospital and the medical center to accomplish what is probably the biggest heist of consumer healthcare records in history.
Defendants UCMC and Google already filed motions to dismiss the lawsuit. They claim that they used a secure and HIPAA-compliant process to de-identify patient information. Additionally, Google states that the plaintiff and other class members are not alleging that Google already used data to re-identify patients. The allegation was that Google is capable of doing so. As a result, there was no injury suffered due to the information sharing and even if there was an injury sustained, the lawsuit ought to be dismissed since the HIPAA does not allow a private right of action.
The defendants likewise claim that the meaning of intrusion presented by the plaintiffs is not covered under HIPAA as every patient voluntarily gave their healthcare data to the medical center. Rather, it is covered by the Consumer Fraud and Deceptive Business Practices Act.