News of data breaches and
hacks has become common place and will likely increase in an age where digital
information is amassed at an exponential rate [1]. Tech giants like Apple, Amazon, Google and
Facebook partner with the healthcare industry to use personal data from
fitness/health aps and sometimes medical records to create new technology. In a nation that spends $3.5 trillion on
healthcare annually [2], there is a huge market for business and healthcare
providers see the value in tools that can increase the quality of life, better
outcomes and help diagnosis and treat their patients. However, use of this highly sensitive and most
personal data presents ethical issues and legal challenges. While
the data continues to accumulate, the regulations and remedies for violations
of privacy fall behind.
Dinerstein v. Google and the University of Chicago
This past June a
class action was brought against Google and the University of Chicago on behalf
of Matt Dinerstein for what the complaint describes as the “greatest heist of
consumer medical records in history.” In
2017, Google partnered with University of Chicago in a data analytics
project. Hundreds of thousands of
records were released to Google to develop a machine learning model designed to
predict and alert caregivers when a patient is declining. Although data provided by the University of
Chicago to Google was de-identified, the plaintiff argues that because Google
“has untold amounts of data regarding consumers’ daily lives” and is “one of
the largest and most comprehensive data mining companies in the world”
sensitive and private health information could be linked back to the individual
patient. [3]
Google and University of
Chicago filed motions to dismiss the case with prejudice. The defendants argue that the release of
medical record information was allowed per research provisions of HIPAA
regulations, but also that the plaintiff’s claim fails as there is no injury in
fact. While it may be possible
for Google to reidentify individuals, they have not done so, nor do they plan
to do so. “Plaintiff has not alleged the
required constitutional ‘injury-in-fact’ necessary to support Article III standing….even
if Plaintiff satisfied Article III’s requirements, Plaintiff still fails to
state any claim upon which relief may be granted.” [4]
Article III Standing and Privacy Rights
As discussed in class, a civil case does not have standing if
there is no case or controversy. To have
Article III Standing the plaintiff is required to show:
1) Injury in
fact,
2) Causation
(the injury is linked to the defendant’s action); and
3) Redressability
(identify some form of relief that will alleviate the injury caused by the
defendant) [5]
The “injury in fact”
standard is hard-hitting when considering privacy rights. The Supreme Court has said an “injury in
fact” should be concrete and particularized, actual or imminent, and not
conjectural or hypothetical (6). It does
not appear that Dinerstein v. Google would meet this standard. Consider the sensitivity of genetic, mental
health, and substance abuse information disclosed from medical records. Inappropriate use and disclosure could limit
an individual’s ability to obtain health or life insurance, and impact reputation,
ability to obtain employment, and so forth.
Once private information is breached, it can’t be retrieved. The consequences for an individual could be
life altering.
Questions
Is it reasonable that there is no civil remedy for privacy violations
until injury actually occurs?
Should the
Supreme Court take a broader view of standing in consideration of privacy
rights?
Sources:
3- Dinerstein v. Google, No. 1:19-CV-04311,
2019 WL
2627324 (N.D.Ill.) (Trial Pleading)
4- Dinerstein v. Google Case No1:19-CV-04311 – University
of Chicago’s Memorandum in Support of their Motion to Dismiss
5- Manuet & Marcus, Pretrial, 68 (2015)
6- Lujan v. Defenders of Wildlife, 504
U.S. 555, 560-61 (1992)
7- https://www.nytimes.com/2019/06/26/technology/google-university-chicago-data-sharing-lawsuit.html
7- https://www.nytimes.com/2019/06/26/technology/google-university-chicago-data-sharing-lawsuit.html
This is an interesting case and can be viewed from both sides. It is almost impossible to insure there will be no data breach on any information contained in a system that has access to the web. If these potential technology advances assist in saving lives, increasing life expectancy or improving quality of life, then some reasonable standards should be set to allow these companies to operate. In most states, for a data breach to constitute a reportable "security breach", it must be one where "illegal use of the personal information has occurred or is reasonably likely to occur or that creates material risk of harm to the consumer." (1) The AMA and HIPAA have procedures in place currently to assist in data breach situations. I believe there should not be remedy unless injury occurs as previously stated. If we open the door to potential claims or future injuries in an already litigious society, then the legal system will be inundated with legal "what ifs". Malpractice and E & O premiums will be so expensive to bind. There are current E & O policies which cover health care network security, billing issues, HIPAA violations and other breaches which can reduce exposure to involved participants falling victim to their system breaches. I believe the level of scrutiny currently given by the Supreme Court should remain the same. Assuming the entity which has been hacked follows all policies and procedures within the state and federal guidelines, then injury in fact should be present to have standing. Contrarily, people can argue that the mere fact the information is stolen is proof the hacker has intent to cause future harm. Some individuals say the cost of mitigating injuries after a breach is injury itself. For future advances in medical technology, I believe the potential reward outways the risk of breach; nonetheless, if a breach occurs, then injury must be proven to initiate a viable claim. Great article and can be substantiated from either side of the debate.
ReplyDelete(1) https://www.fisherphillips.com/employment-privacy-blog/strict-privacy-and-data-security-bill-introduced
This case is interesting. If Dinerstein et al. used lawyers to help them file the class action, it makes me question the competency of the lawyers since they should have seen that there is no actual injury in fact.
ReplyDeleteI also agree with Cain. It would be a rough world to live in if we saw everyone as having the potential to break the law (I mean, I know everyone has the *potential*, but hopefully you get what I'm trying to say). Therefore, I also believe that there should be no remedy unless there is an injury in fact.
Cain also made a good point about the AMA and HIPAA. There are many safety regulations in place. If you wanted to access that many health records that are protected by HIPAA, you would have to jump through a lot of hoops to make that happen.
Furthermore, although it wouldn't be fun to have private records disclosed to the public, I don't believe it would impact the person's ability to acquire a job or insurance. Both physical and mental disabilities are federally protected classes, and cannot be discriminated against.
My guess on this case is that the compliant was drafted more to grab headlines than actually make its way through the courts.
DeleteI have a hypothetical for both Dan and Cain, what if the plaintiffs could prove that Google used their analytic resources to re-identify the medical records? Let's also assume that Google did so only for business purposes, maybe to place ads for pharmaceutical companies based on what they know the patient is being prescribed or the patient's diagnosis. The University of Chicago would probably be able to take action based on the contract they signed, but the individual would still have no remedy. Google has a copy of the patients entire medical record and the patient never consented for their record to be used in that manner. Thoughts?
Shelby, great blog by the way. On the hypothetical, it is definitely an interesting scenario but I still am not sure I see the "injury". There is certainly an issue with utilizing medical records without consent or intended purposes; however, I do not see where monetary gains should be acquired by plaintiff when there is no damage to them. In your scenario, what would you pinpoint as the injury? or do you agree with me?
DeleteThanks Cain! I agree, there is no injury to pinpoint. There are probably other cases that would illustrate this better, but what i am trying to get at is this...
DeleteA party, let's pretend they are not reputable, has your information (a copy of your entire medical record, or banking records, anything private and sensitive). This company is likely to sell your information to your business competitors or post it on Wikileaks (who knows!), they have done similar things before. While government agencies can take action, as an individual you couldn't do anything until you were injured, until they posted your record online and you could prove that having that record online actually injured you in some way. My goal with the post was to highlight the gap. Private information could be in the wrong hands, but there is not a remedy for an individual until it is too late.
It is really a complex issue. I feel that the standard for “injury in fact” when it comes to privacy might be too stringent, but totally agree with your points about our litigious society. Medical research is my day job and I can attest to the benefits projects similar to the one Google and University of Chicago are conducting have for patients. It would be shame if those projects couldn’t continue.
Generally, privacy rights are taken pretty seriously in regards to medical information and HIPPA violations. Along with HIPPA, they also have to comply with the FTC which is the Federal Trade Commission ACT. The FTC governs disclosures for health information being released and those disclosures not being deceptive or misleading. Although I am not sure if this was a factor in this case because it does not appear that the issue was what information was released and they did not sign disclosures. The focus was more on information that was released to not be identifying or "cause injury". I see both sides to the civil remedy. A lot of things we do could potentially can result in injury and a lot of people would end up in jail and/or getting charged for potential crimes and let's be honest, our court systems already have enough issues. On the other hand this is very serious information that if breached and/or leaked could affect a person's livelihood as well as reputation. Past rehabs, drug addictions, smoking status, and other medical information that someone would not want released. I am sure these laws of privacy and protection for the consumer are always being re-evaluated but the solution is probably very complicated to make both sides happy. I also understand that a lot of this information has helped with progress of health care, preventive care, and being able to check on an employee who has diabetes like mentioned above.
ReplyDeleteThis is good information, Angela! It must be super frustrating for them to have to comply with so many rules, but I'm glad that HIPAA and the FTC are there to safeguard medical information. I also see how it wouldn't be fun to have that information leaked or breached, but I'm glad that the HIPAA and FTC laws are probably re-evaluated often, like you said.
DeleteShelby, thank you for your post and the comments made by others too. It definitely gave me insight into a topic that has far reaching implications. HIPPA and the Privacy Rule set a baseline of protection for certain individually identifiable health information.(1) These laws usually only apply to personal medical information in the hands of specific types of entities like our doctors or health facilities. So while many believe sensitive medical information is protected, information given to social networks, search engines, website discussion is usually not protected by existing medical privacy laws. You have astutely highlighted the numerous exceptions for disclosure of medical information without a person’s consent. Additionally, inform and consent is often so complex people really don’t know what they are or are not agreeing to.
ReplyDeleteAs you have pointed out, medical privacy protection is patchwork at best. Under current laws, it does seem there is no civil remedy for privacy violations until injury does occur through the court systems.(2) Instead, it seems the most expeditious way to address the “greatest heist” is by fast tracking statutory law addressing medical privacy expanding beyond medical care providers rather than through the courts.
In the case of Dinerstein v Google, it appears there will be some interesting arguments made as to what injury entails. I agree the standing issue is muddled. However, imminent “injury” may be stretched to include a patient losing trust in systems such as HIPPA, Privacy Rule, Electronic Health Information Exchange and therefore compelling the patient(s) to make risky health care choices by electing not to seek health care compromising his or her health because they are concerned about privacy issues. It is a stretch. I am sure there will be some creative lawyering in the case that will be interesting to watch unfold. While Dinerstein may have some valid arguments, perhaps the tenets of his complaint would be better served through a different plaintiff.
On initial look, I would say “yes” the SCOTUS should take a broader view of standing inconsideration of privacy rights. However, I think if the definition of standing can be enlarged in this scenario it would unintentionally pave the way for other issues, complaints, etc. to also argue for a broadened interpretation of standing creating unforeseen detrimental consequences. So while it seems to make sense in this case, I would argue against the Supreme Court taking a broader view of standing and altering key principles of case and controversy requirements and instead look toward addressing this pressing and very salient issue through legislative action.
1 https://www.healthit.gov/topic/health-information-privacy-law-and-policy
2 https://www.eff.org/issues/law-and-medical-privacy
The scope of health care data breaches is quite extreme. One my ask, of the hundreds and thousands of breached accounts whether a credit card company has suffered identity theft or a hospital suffered medical identity theft, what percentage victims have likely suffered a consequence of the breach and to that end, to what degree?
ReplyDeleteAccording to Healthcare News and Insights, data breaches are widespread. In 2011 and 2012, nearly 94% of healthcare organizations had suffered at least one data breach. (1) A staggering 45% had suffered more than 5 breaches during that time. Clearly, we understand the cost to providers and especially for health for providers who will face HIPAA fines and compliance costs All of this information must be considered before legislation and the courts can intervene with appropriate regulation and punishment.
One possible precursor to enacting appropriate legislation would be to establish a more formalized standard of care for companies that handle sensitive client information. That is, information that could cause harm if shared with other parties.
HIPAA laws have done a great deal to protect patient rights, including imposing enormous fines. But any entity that has access to the most private information should be regulated in order to meet or exceed a standard set in place where security vulnerabilities exist.
Considering the nuances of the internet and the difficulty in making the web truly secure, it seems to me that legislation will not ever enhance internet security. But it can induce the healthcare entities to comply with new regulation.
Entities that store sensitive information must be required to meet or exceed a certain standard which will be set by government regulation in order to ensure client privacy. No, this will not stop a data breach, but it will create a standard of care for administrative, physical and technical safeguards which can then lead to appropriate legislation. (2)
1. www.healthcarebusinesstech.com/best-practices-to-secure-healthcare-data/
2.www.ncbi.nlm.nih.gov/pmc/articles/PMC5522514/
ReplyDeleteThis was an interesting read that appears to be an ongoing issue since the filing took place in June and could very well go from potential lawsuit to an actual lawsuit. I think it’s important we utilize technology and partnerships as in the case between the University of Chicago and Google to diagnose and treat medical problems faster, however there needs to be some tighter guidelines. This case is the perfect example of how some laws and regulations need to be amended with modern times or we will continue to see this problem arise in our courts.
While the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 [1] plenty has changed since then, especially technology, making HIPAA decades old. If you think about it, Google and social media didn’t even exist; even the Internet is nowhere near what it was in 1996 compared to today (established in the 1960’s for government research) [2]. According to a Law Professor at the University of Nevada, “HIPAA was enacted in 1996 before the technology industry started collecting vast amounts of personal information. That has made the regulations outdated because the idea of what information is considered individually identifiable has changed with advances in technology. [3]
While I think it is unreasonable that our government can’t come up with a remedy for privacy violations before they occur, I’m not surprised. It seems to me no law or change is ever made until it’s too late, until someone dies or until someone is hurt. Sadly, we seem to use these unfortunate circumstances as a platform to make change and Dinerstein v. Google and the University of Chicago may be no different.
When it comes to privacy rights I think it would be difficult for the Supreme Court to take a broader view of standing, but I do think it’s necessary for change. If the Supreme Court looks at HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 [4] they may find there has been some violations in this case because while Google may not “intend” to use the data they collected to re-identify individuals the mere fact they have the information without consent from the patent, injury or not, is what makes it a HIPAA violation. The challenge for the plaintiff is proving the defendants did not properly de-identify the patient data that was shared and the patient did not authorize its exposure.
1. https://www.hipaajournal.com/when-was-hipaa-enacted/
2. https://www.usg.edu/galileo/skills/unit07/internet07_02.phtml
3. https://www.nytimes.com/2019/06/26/technology/google-university-chicago-data-sharing-lawsuit.html
4. https://www.virtru.com/blog/hitech-compliance-checklist-are-you-doing-enough-to-protect-yourself/
Data breaches happen all the time regardless of the precautions a company takes, there are always people out there trying to get in to the systems. This case sounds like a ‘what if’ case and has no standing in the courts. There are ‘what if’s’ in every situation and if everyone tried to bring their hypothetical situation to court, the courts would be loaded down and the real issues would never be resolved. Though I don’t believe this case should be in court because there has been no injury, the concern is real and can be addressed outside of the court. With all of the regulations surrounding health care and the information it entails, I’m sure these questions have been discussed are are being address on the inside so these accidental leaks do not happen. Until such concern becomes a reality, there is no real solution beyond what is already being done.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteShelby,
ReplyDeleteyour blog post was a very interesting read. This topic is controversial because under the requirements for Article III standing, it seems that in the case Dinerstein v. Google and the University of Chicago most people disagree that there is injury in fact. In my research to answer your questions, to the best of my knowledge, I believe it is being viewed too narrowly. I believe the class action could have Article III standing because the injury in fact is the violation of privacy under the Privacy Act of 1974 as well as the University of Chicago’s failure to obtain subjects’ consent under Appendix D: Application of the Privacy Rule to research databases and repositories needs further refining to align it with existing Common Rule requirements. (1) The Privacy Act of 1974 prevents unauthorized disclosure of personal information held by the federal government. A person has the right to review their own personal information, ask for corrections and be informed of any disclosures. (2) The University of Chicago is a public university therefore making it a government entity. The research that was conducted in collaboration with Google, released "de-dentified" information of real patients' medical history without the consent of said patients regardless of redacted personal identifiers which potentially violated HIPAA’s requirements for researchers to seek consent for discrete future research. I do not believe it is reasonable that there are no civil remedies until actual injury occurs because in this case the violation of privacy is the injury in fact regardless of the potential and or future fall outs of the information that was used without consent. Because online platforms are vital to the inner workings of today’s society, I do believe the Supreme Court should consider a broader view in terms of standing for privacy rights because it is easier to infringe on those rights today than any other point in history.
(1) Hhs.gov. “Appendix D: Application of the Privacy Rule to Research Databases.” HHS.gov, 26 Apr. 2016, https://www.hhs.gov/ohrp/sachrp-committee/recommendations/2004-september-27-letter-appendix-d/index.html.
(2) Sharp, Tim. “Right to Privacy: Constitutional Rights & Privacy Laws.” LiveScience, Purch, 12 June 2013, https://www.livescience.com/37398-right-to-privacy.html.
That’s a great topic Shelby, and a tough one. On one hand, I would think that any reasonable person would be a little put off, if not downright furious at the thought of a medical provider or healthcare system releasing their personal, medical information – name or no name – to an entity like Google. Were it for strict medical research followed up with some sort of informed consent, I feel like that would be ethically acceptable, though even then, perhaps not to all. On the other hand, there seems to be an argument for a lack of injury to any identifiable party involved. We all know that our personal, online information is constantly being scrutinized and investigated, only by virtue of a click of consent in the policy script. Though I suppose even with that, we have given permission for the tech entity to match our names to our patterns of online utilization.
ReplyDeleteI feel like Google’s argument may stand in court, but at what cost to consumer trust, and is that the only option for them to move forward with this “market research”? The injury in fact could arguably be somewhere in the realm of consumer betrayal, or of creating an online panic, setting a precedent for other companies to reach into records and sensitive, individual data and use it to their advantage and gain. If we don’t attempt to fight these kinds of corporate maneuvers, then where does it end? Is it feasible that companies like Google, could pick their way through enough civil suits, with their money, power and influence to protect them, that their exposure to litigation could become infallible, leaving the individual with no claim to their own experience, belief, and individuality?
So is it reasonable that there is no civil remedy? No, it’s not, but is it something that the common person is equipped to battle in court? Sadly, I don’t think so and we are at great risk of that question becoming near impossible. So should the Supreme Court of the United States take a closer look at these kinds of issues of privacy rights of consumers? In the medical realm in which this case is based, absolutely they should. There is so much more that could be done by Google in good faith to gain the same outcome as them stealing sensitive medical information. They could reach out for a form of consent by a sample population of what they are seeking, or they could create an organization that is based on transparency and the legitimization of good research practice. But in the interest of public trust and power imbalance with these monolithic corporations, that are abusing their relationship with their customers, the Supreme Court could theoretically stop a boulder before it completely crushes the village.
The blanket statement of “collecting data to improve the lives of patients” is debatable and was possibly used as a cover for any suspicious actions from University of Chicago Medical Center and Google. Then again I’m a pessimist so maybe looking at the facts would be best. According to the HIPPA Privacy Rule, “ HIPAA authorizations provide consumers a way to understand and control their health information...Explain who is disclosing and receiving the information, what they are receiving, when the disclosure permission expires, where information is being shared, and why you are sharing it...The authorization must include specific terms and descriptions”. Although the medical center and Google claimed that the information distributed was not identifiable yet patients could tell it was their information by the details of their treatments and notes by their providers, is questionable. Patients don’t feel like they are in control of their health information, and didn’t know or understand what information was going to be distributed. How much personal information must a person release for the good of others is a hard question to answer. If we didn’t live in a world that was so negatively influenced by stigmatized health issues, maybe releasing health information to the public wouldn’t seem as detrimental. There are laws that protect individuals from discrimination but it doesn’t necessarily mean it works all the time. Although there was no injury to make this an official civil case, it does seem unfair still. As we continue to enter a world where everything has become digitized, a reevaluation of what privacy rights are should be implemented by the Supreme Court.
ReplyDeletehttp://www.healthcarebusinesstech.com/best-practices-to-secure-healthcare-data/