Earlier in 2019, a lawsuit was filed against University of Chicago Medicine, University of Chicago Medical Center, and Google. The suit claims that patient information was shared with google as part of a study aimed to advance the use of Artificial Intelligence, however, patient authorization was not obtained and the data used was not properly de-identified. In 2017, University of Chicago (UChicago) Medicine started sending patient data to Google as part of a project to look to see if historical health record data could be used to predict future medical events.
On September 9th, 2019, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued its first enforcement action and settlement under its Right of Access Initiative. This came as a reaction to Bayfront Health St. Petersburg (Bayfront) paying $85,000 in fines to OCR. Bayfront adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule after they failed to provide a mother timely access to the records about her unborn child. In response, the OCR Director, Roger Severino, stated “[w]e aim to hold the health care industry accountable for ignoring peoples’ right to access their medical record and those of their kids.”
Data protection measures have been increasingly crossing news headlines ever since the General Data Protection Regulation (GDPR) came into effect in 2018. However, data protection measures did not begin with the GDPR. In the United States, where there is a sectoral system in place, there have been regulations in place for years that monitor children’s online privacy (COPPA), health information (HIPAA), spam (CAN-SPAM), and even video rental history (VPPA). Despite these systems being implemented years ago, large companies still fail to properly comply with the requirements set forth. Recently, a settlement between YouTube and the FTC brought to light the importance of compliance with COPPA.
The Health Insurance Portability and Accountability Act (HIPAA) and the Patient Protection and Affordable Care Act (ACA) jointly create national standards for electronic transactions, code sets, and unique identifiers. The ACA introduced Administrative Simplification provisions in 2010 and now the Centers for Medicaid and Medicare Services (CMS) has launched a Compliance Review Program to ensure that HIPAA covered entities are abiding by the Administrative Simplification rules.