A Federal judge dismissed a potential class-action lawsuit that was filed in June 2019 against UChicago Medicine, the University of Chicago, and Google.
The lawsuit was a response to an alleged breach of HIPAA Rules associated with a data-sharing partnership between Google and the University of Chicago Medicine.
In 2017, the University of Chicago Medicine transmitted de-identified patient data to Google as part of a project to use medical records to enhance predictive evaluation of hospitalizations, and in so doing, provide a better quality of patient care. The objective of the joint venture was to determine if a patient’s health is declining through machine learning techniques and to facilitate prompt interventions to avert hospitalization.
The University of Chicago Medicine provided Google with a huge amount of patient records dated 2009 up to 2016. The data provided to Google was de-identified however the doctors’ notes and the time stamps of dates of service were included.
Edelson PC filed the lawsuit for the lead plaintiff, Matt Dinerstein, who is a UC Medical Center patient with two hospital stays in 2015.
The lawsuit claimed that the confidential protected health information (PHI) of Mr. Dinerstein was provided to Google without appropriate de-identification. The free-text notes from physicians and nursing staff were contained in the data together with related time stamps. It was only in a 2018 research study that it was confirmed the PHI disclosed to Google contained notes and time stamps.
The lawsuit claimed providing that information to Google showed that it was not adequately de-identified. Given that Google previously had a sizeable store of data, patient re-identification is possible resulting in a privacy risk for all patients who had their information disclosed to Google.
The legal action additionally alleged that Mr. Dinerstein’s medical records had value to him and were stolen, though there was no allegation that Google attempted to re-identify patients. The lawsuit likewise stated Mr. Dinerstein should receive a fair amount of royalty for using his PHI.
UC Medical Center and Google submitted motions to dismiss the case on August 3, 2019, stating that all information sent to Google as part of the project was sent via secure, HIPAA-compliant channels. The motions additionally explained there is no private right of action by the Illinois Medical Patient Rights Act nor the HIPAA.
On September 4, 2020, the United States District Court Northern District of Illinois Eastern Division’s Federal Judge Rebecca Pallmeyer denied Mr. Dinerstein’s allegations and decided to dismiss the lawsuit.
Judge Pallmeyer said that even with Mr. Dinerstein’s property interest in medical data, his claims don’t support an interference that the property’s value was reduced by the University’s or Google’s actions. She also said that royalties are merely suitable for interference with a property right, and the plaintiff was unable to prove the possession of such rights over his PHI. Judge Pallmeyer furthermore stated in the decision that Mr. Dinerstein did not sufficiently show that the claimed privacy breach had brought on him economic injury. The plaintiff may submit an amended complaint prior to October 15, 2020.
The judgment is surely good news to Google, which is likewise dealing with the investigation of its “Project Nightingale”, a joint venture with Ascension that resulted in potential HIPAA violations when Ascension provided millions of records to Google in 2019.