Google, Medical Center Ask Court to Dismiss Privacy LawsuitLegal Experts Analyze the Key Issues in Complex Case
Google and the University of Chicago Medical Center have filed motions to dismiss a class action lawsuit that alleges patients' electronic health records were not properly de-identified by the hospital before they were shared with Google to support the company's predictive medical data analytics technology development efforts.
The hospital and Google argue that they used a secure process in compliance with HIPAA and that the plaintiff has shown no evidence of harm caused by the data sharing.
The lawsuit filed in an Illinois federal court in June by a former medical center patient notes that HIPAA requires that data shared for research purposes must be de-identified by one of two methods. Those methods include the "expert determination" method to determine if risk of de-identification is small and the "safe harbor" method, which involves removing a long list of identifiers.
The lawsuit alleges that while the medical center claims it de-identified patient records shared with Google, the data included date stamps of when patients checked in and out of the hospital, as well as "copious free-text notes."
As a result, the lawsuit contends, through Google's "prolific data mining ... [the company] is uniquely able to determine the identity of almost every medical record released by the university."
The collaboration between Google and the University, the complaint contends, is to "pull off what is likely the greatest heist of consumer medical records in history."
Motions to Dismiss
In their motions to dismiss the lawsuit, Google and the University of Chicago Medical Center make several arguments:
- The university's collaboration with Google included sharing certain patient data via a secure process in compliance with HIPAA, they say. Plus, they argue that the plaintiff does not allege Google actually identified him or anyone in the class he seeks to represent, but rather "merely claims Google has the technological capability of doing so."
- Even if the plaintiff had standing, the complaint should be dismissed because there is no private right of legal action under HIPAA.
- The plaintiff's allegation of "intrusion" fails under the Consumer Fraud and Deceptive Business Practices Act because the patient voluntarily gave his data to the medical center.
Legal experts are weighing in on the dispute, seeing merits in the arguments on both sides.
Paul Hales, an independent health information privacy and security attorney who's not involved in the case, argues that the plaintiff's complaint is "much ado about nothing."
HIPAA permits disclosure of limited protected health information for research purposes when a covered entity enters a "data use agreement" with a researcher, he notes. "Court documents include such a DUA between the University of Chicago and Google dated December 21, 2016."
According to HIPAA, research "means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge," he adds.
Hales notes that while the HIPAA privacy and security rules may be somewhat out of date, they nevertheless directly address the disclosure of limited data for research. "However, like any law, they depend on the integrity of the people and organizations that follow them. And courts are beginning to recognize HIPAA as the 'standard of care' defendants must meet to win lawsuits based on health information disclosures."
But because the plaintiff in the lawsuit faces "a stiff challenge" to convince the court that he has suffered actual injury as a result of the sharing of the data, "there is a strong likelihood the case may be dismissed on procedural grounds," Hales says.
'Sidestepping' Critical Points?
Another legal expert, however, says the contentions of Google and the medical center are weak.
"Google's counter arguments are orthogonal, conclusory, and smack of 'techsplaining'," says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., who isn't involved in the case.
"First, Google's 'secure' sharing process completely sidesteps the argument that this information can be re-identified. In particular, Google's reach into the everyday lives of billions of people makes the 'secure' aspect of the sharing irrelevant," Teppler contends.
Plaintiffs' counsel can argue, he says, that "the ease with which re-identification/de-anonymization can be accomplished renders farcical the 'secure' aspect of sharing."
"While no private right of action exists under HIPAA, the statute does not pre-empt common law causes of action based on the violation, nor does it pre-empt many state deceptive and [unfair] business practice statutes upon which a HIPAA violation is predicated," he adds.
This case points to an emerging trend, Teppler notes.
"Courts are becoming increasingly sensitive to how quickly digital identity information can be used to either commit identity compromises, or, in this case, used for 'other business purposes'," Teppler says. "The core argument here is - who owns the data generated by a person?"
What can other organizations learn from this legal battle? Teppler advises organizations to tell patients what they intend to do with their data.
"If you make a profit off this information, offer clients an opt-out, or pay them. There is a New York Court of Appeals decision from the last decade that extended the tort of conversion and trespass to digital information. Proceed with caution."
Hales notes that Google is attempting to develop an advanced EHR product "that will not just store health information, but would use artificial intelligence to assist providers in making diagnoses and developing treatment plans."
That kind of EHR would offer "a significant advance" in health treatment and give Google an enormous competitive advantage over other EHR vendors, he contends.
"The prospect of a Google smart EHR underscores the current anti-trust debate about tech companies. How big is 'too big'? Do they have the power to eliminate competitors?"