Matt Dinerstein, a former patient at the University of Chicago Medical Center, is accusing the University, its’ medical center, and Google of violating his privacy rights. From 2009 to 2016, UChicago and Google partnered to conduct medical research. Through the partnership, the University shared patient records with Google for research purposes.
HIPAA law dictates that before protected health information (PHI) can be shared for research purposes, the data needs to be de-identified, ensuring a patient’s anonymity. The suit claims that PHI was not adequately de-identified since timestamps for appointments were within the patient records. It also claims that Google has the means to re-identify the patient data using technology they acquired through their 2014 purchase of DeepMind. DeepMind is a data mining company that the suit argues has the capability to use the patient timestamps to tie patient records back to the patient, making it a HIPAA violation.
Jeremy Manier, a spokesperson from UChicago stated, “That research partnership was appropriate and legal and the claims asserted in this case are baseless and a disservice to the Medical Center’s fundamental mission of improving the lives of its patients. The University and the Medical Center will vigorously defend this action in court.”
Is it a HIPAA violation?
The Institutional Review Board (IRB) is charged with reviewing documentation for research projects involving PHI. The following three criteria must be satisfied for an IRB or Privacy Board to approve a waiver of authorization under the Privacy Rule:
- The use or disclosure of protected health information involves minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
- an adequate plan to protect the identifiers from improper use and disclosure;
- an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
- adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of the protected health information.
Although HIPAA law allows entities to share PHI for research purposes, it needs to be sufficiently de-identified before it can be shared. Since Google has the means to re-identify the data, the suit will likely result in a HIPAA violation.