Michael Manganelli
Associate Editor
Loyola University Chicago School of Law, JD 2021
Earlier in 2019, a lawsuit was filed against University of Chicago Medicine, University of Chicago Medical Center, and Google. The suit claims that patient information was shared with google as part of a study aimed to advance the use of Artificial Intelligence, however, patient authorization was not obtained and the data used was not properly de-identified. In 2017, University of Chicago (UChicago) Medicine started sending patient data to Google as part of a project to look to see if historical health record data could be used to predict future medical events.
HIPAA and patient data
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not prohibit disclosure, if either the patient provides express consent or the protected health information (PHI) has been de-identified of the 18 identifiers that allow PHI to be tied to a particular patient. Included in the 18 identifiers are: names, geographical identifiers such as a zip code, dates related to an individual, URLs, IP addresses, and any other unique identifying number, characteristic or code. In the case of zip codes, covered entities (healthcare organizations and their business associates), are permitted to use the first three digits of the zip code if those digits encompass more than 20,000 individuals.
HIPAA provides a specific Security Rule regarding electronic formats. Under this rule, HIPAA requires safeguards to be implemented to protect PHI that is created, used, stored, or transmitted in electronic formats. This specific type of PHI has been classified as electronic PHO, or ePHI.
Google confirmed in a 2018 research paper that the ePHI used in the research was deidentified, however, dates of service were included in the data set. This could be considered a HIPAA breach since Google already holds vast quantities of data on individuals. Google could tie the data to other information and in turn could re-identify patients. No evidence has been obtained by Edelson PC, the law firm representing the injured parties, to suggest that Google has misused any patient data.
The University of Chicago has denied all allegations of wrongdoing, stating “[t]he claims in this lawsuit are without merit. The University of Chicago Medical Center has complied with laws and regulations applicable to patient privacy.” In response, Jay Edelson, founder of Edelson PC, stated that “[w]e believe that not only is this the most significant health care data breach case in our nation’s history, but that it is the most egregious given our allegations that the data was voluntarily handed over.”
Past transgressions from the tech giant
This is not the first time Google has been accused of violating patient privacy laws. In 2016, DeepMind, the project owned by Google used to process medical data, was accused of violating patient privacy after it struck a deal with Britain’s National Health Service to process medical data for research after previously stating that there would not be a deal between Google and Britain.
This case represents a larger problem facing health systems and large technology companies: using artificial intelligence to diagnose medical problems. This concern is only amplified by the fact that in this case, Google (one of the largest companies in the world) already knows what you search for, where you are, and what you are interested in.
Civil penalties for HIPAA violations start at $100 per violation by any individual, but can increase to $25,000 if there have been multiple violations of the same type. Criminal penalties can be even more severe. The minimum fine for willful violations of HIPAA is $50,000 and the maximum criminal penalty is $250,000.
Should HIPPA be amended to account for growing technologies?
The Office of Civil Rights (OCR), an organization within the U.S. Department of Health and Human Services, works closely with doctors and patients to ensure that every patient knows their rights and privacies concerning personal health information and medical treatment option. And in turn, OCR proposes new changes to HIPAA.
In 2018, OCR and HHS published a Request for Information that sought-after feedback on whether and how HIPAA should be revised. HIPAA considered changes to how substance abuse and mental health information records were protected. According to the HIPPA Journal, there are no new proposed Rules that would add or increase security for electronic health information. The only new changes being considered are aspects that impede the transformation to value-based healthcare and areas where current Privacy Rule requirements limit or discourage coordinated care.
Currently, failures to protect ePHI and subsequent privacy violations can result in significant fines. But since there is no private action under HIPAA, patients affected by data breaches cannot sue HIPAA covered entities for the exposure, theft, or impermissible disclosure of their PHI. With the rise of technology and data usage, it would be prudent for OCR, HIPAA, and health systems to update and modify the current regulations in place that protect patient’s information from abuse.