In late June of 2019, a class action lawsuit was filed against the University of Chicago Medical Center (UCMC) and Google. In this HIPAA Privacy lawsuit, the lawsuit alleges that UCMC failed to properly de-identify the patient protected health information (PHI) before sharing the patient information with Google.
What Allegations Were Made in the HIPAA Privacy Lawsuit?
The HIPAA Privacy lawsuit alleges that patient information that UCMC failed to properly de-identify, was shared by UCMC with Google to assist Google with development of its predictive medical data analytics technology.
Sharing of PHI with third parties is not per se prohibited under the HIPAA Privacy Rule. A covered entity may share PHI with third parties, such as tech companies, provided consent is obtained from patients prior to information being shared.
The lawsuit has alleged that no such consent was given.
Patient information may also be shared if that information is first de-identified. Under the HIPAA Privacy Rule, de-identification requires removal of 18 identifiers that can uniquely identify a patient. Once de-identification is complete, the information is no longer considered to be PHI, and as such, the information can be shared by a covered entity with a third party.
There are two methods used to de-identify PHI: expert determination, and the safe harbor method. The latter involves removal of the 18 identifiers. The former requires that an expert evaluate the data. The expert, using recognized principles of statistics and science, must conclude after evaluating the data that there is a very small risk (and no more) that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information.
The patient’s HIPAA Privacy lawsuit alleges that UCMC failed to remove all the necessary information from the data prior to it being shared with Google. The lawsuit alleges that the data shared with Google contains dates and times (time stamps) of when patients checked in and out of the hospital, and also alleges that UCMC shared “copious free-text notes” with Google.
The time stamps placed each patient at the hospital at a specific time, which placed patient privacy at risk, according to the HIPAA Privacy lawsuit. The lawsuit alleges the inclusion of time stamps violates the provisions of the safe harbor de-identification method and that, since UCMC did not obtain consent from patients to share their data with Google, the Privacy Rule was violated.
The lawsuit also alleges that, given the combination of UCMC allegedly failing to de-identify data, AND the allegation that Google already stores enormous quantities of data from data mining activities, there is a risk that the patient’s PHI can potentially be re-identified.
How Have UCMC and Google Responded to the HIPAA Privacy Lawsuit Allegations?
In late August of 2019, UCMC and Google (Defendants) both filed motions to have the lawsuit dismissed. A motion to dismiss may be filed by a defendant for a number of reasons, including, as applicable here, that Plaintiff failed to sustain an actual injury – as opposed to a possible or hypothetical one. The motions to dismiss also seek to have the case dismissed for what is known as “failure to state a claim upon which a court can grant relief,” alleging that there is no private right of action – a right of an individual to file a lawsuit against a covered entity or a third party with whom the CE shares patient data – under HIPAA.