By Jenna Becker
A data privacy lawsuit against the University of Chicago Medical Center and Google was recently dismissed, demonstrating the difficulty of pursuing claims against hospitals that share patient data with tech companies.
Patient data sharing between health systems and large software companies is becoming increasingly common as these organizations chase the potential of artificial intelligence and machine learning in healthcare. However, many tech firms also own troves of consumer data, and these companies may be able to match up “de-identified” patient records with a patient’s identity.
Scholars, privacy advocates, and lawmakers have argued that HIPAA is inadequate in the current landscape. Dinerstein v. Google is a clear reminder that both HIPAA and contract law are insufficient for handling these types of privacy violations. Patients are left seemingly defenseless against their most personal information being shared without their meaningful consent.
Dinerstein v. Google
In 2017, Google announced a partnership with the University of Chicago to create machine learning tools that would predict patients’ future health problems and adverse medical events. To complete this goal, the university handed over five years of “de-identified” electronic medical record data to Google.
A UChicago patient, Matt Dinerstein, brought multiple claims against the health system and Google, including breach of contract based on an alleged HIPAA violation. Earlier this month, a federal judge in Illinois dismissed his claims, saying that Dinerstein did not demonstrate damages.
The opinion provides a couple of important reminders.
Insufficiency of Contract Law
First, contract law is not an adequate tool to protect patient privacy.
HIPAA does not create a private right of action. So, when Dinerstein sued his hospital and Google, he brought breach of contract claims based on privacy agreements he had signed when admitted to the hospital. The judge stated that even if this privacy agreement had been breached, Dinerstein would be unable to recover, as he had not adequately shown that the breach caused him damage.
Although the theories of damages applied in this case may not apply in all jurisdictions, the opinion shows the difficulty of establishing monetary damages in the context of health data privacy.
Patients do not have a clear property interest in their data. Even if patients have a property interest in their medical records, they face additional hurdles.
The court held that to establish damages, patients need to demonstrate that the value of their medical records was lowered due to the privacy violation. Without a clear method to demonstrate damages, contract-based health privacy claims are likely to fail.
The success of health data privacy claims should not be forced into this contract law framework. A private right of action through HIPAA could help close this gap. Alternatively, bolstering HIPAA to meet today’s needs could eliminate the need for private suits, if adequately enforced.
Issue of Re-Identification
Second, HIPAA may allow for health systems to share re-identifiable information with tech companies.
Dinerstein stated that UChicago shared medical data that, while stripped of some identifying information, could be easily re-identified by Google. He claimed that this data contained patient ages and un-redacted physician notes, which could be used to re-identify patients when matched with the vast consumer databases Google already owns.
The court skirted around the issue of re-identification. Instead, the court looked to HIPAA’s “safe harbor” exemptions, which allow for the health system to share data for research purposes, as long as specific identifiers are removed. Because Dinerstein acknowledged that the required identifiers had been removed, he did not allege a HIPAA violation. Google’s ability to re-identify these patients was not enough to overcome HIPAA’s explicit de-identification criteria.
This case reminds us that without additional statutory protections, patients will struggle to control whether their most personal health data is shared with the largest tech companies in the world. In the meantime, Dinerstein plans to appeal this decision.