Image Credit: DarkoStojanovic from Pixabay.
Health data is an increasingly fraught area of privacy. Outside of sectoral health privacy laws like HIPAA, many regulations such as the GDPR and the California Privacy Rights Act (CPRA) rightly treat health or biometric information as a sensitive or special category of data deserving of more protections than many other types of data.
The amount of electronic heath data collected by companies is also increasing at a staggering rate. DNA testing kits and wearable fitness trackers are everywhere, and telehealth has proliferated in the wake of COVID-19.
Healthcare data controllers are just as likely to be big tech companies as opposed to traditional covered entities. Consequently, courts now need to consider a variety of privacy frameworks, not just HIPAA and HITECH, when they adjudicate healthcare claims.
In September 2020, the U.S. District Court for the Northern District of Illinois dismissed a lawsuit brought against the University of Chicago and the University of Chicago Medical Center (collectively referred to as “the University”) and Google for allegations that the University improperly disclosed healthcare data to Google as part of a research partnership. Dinerstein v. Google, LLC, No. 19-cv-04311 (N.D. Ill. 2020).
Even though the University and Google were able to shake off this lawsuit, this case touched upon several interesting questions at the intersection of HIPAA and other privacy laws:
- What counts as standing under HIPAA-related actions?
- What is sufficient notice to share data under HIPAA?
- Can HIPAA privacy notices sustain a breach of contract action?
- What is de-identified protected health information (PHI)?
- What is the relationship between HIPAA and other privacy laws like CCPA/BIPA?
Plaintiff Matt Dinerstein stayed as a patient on two separate occasions at the University’s medical center in 2015. During his visits, the University maintained health records for Plaintiff, which included information on his demographic data, vital signs, diagnoses, procedures, and prescriptions.
In 2017, Google partnered with the University to engage in machine learning research on patient health predictions. As part of this partnership, the University transferred electronic health records (“EHRs”) to Google pursuant to a Data Use Agreement (“DUA”). In exchange for the University’s EHR data, the DUA gave the University a perpetual license to use the models and predictions developed by Google’s machine learning research.
The EHRs that the University provided to Google included patients’ “dates of service” as well as “free-text medical notes,” which Plaintiff alleged was a prima facie violation of HIPAA. Since HIPAA does not provide a private right of action, the Plaintiff in Dinerstein sued on a breach of contract claim based on agreements that the plaintiff signed upon admission to the University. These agreements included, for instance, an Admission and Outpatient Agreement and Authorization that stated:
“I understand that all efforts will be made to protect my privacy and that any use of my medical information will be in compliance with federal and state laws, including all laws that govern patient confidentiality, and the University of Chicago Medical Center Notice of Privacy Practices.”
Plaintiff was also presented with a Notice of Privacy Practices that stated:
“We will not use or share your medical information for any reason other than those described in this Notice without a written authorization signed by you or your personal representative.”
Plaintiff alleged that the University breached these agreements when the University shared Plaintiff’s EHRs with Google but failed to properly redact patient service dates and free-text medical notes from the EHRs.
In response, Defendants filed to dismiss on the basis that Plaintiff (1) lacked standing and (2) failed to state a claim for relief.
Standing – Did Plaintiff Suffer an Injury Caused by Defendant?
Article III standing requires a plaintiff demonstrate a particularized injury caused by the defendant that would be sufficiently redressed by the lawsuit. See Lujan v. Defs. of Wildlife, 504 U.S. 555 (1992).
Standing is a vital threshold issue in most privacy litigation, determinative of whether the plaintiff(s) may continue to bring their claim or whether it is dismissed. The question courts ask to determine standing in the privacy context is,
“[W]hen is a consumer actually harmed by a data breach—the moment data is lost or stolen, or only after the data has been accessed or used by a third party? As the issue has percolated through various courts, most have agreed that the mere loss of data—without evidence that it has been either viewed or misused—does not constitute an injury sufficient to confer standing.” In re Science Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 19 (D.D.C. 2014).
In contrast to this majority view, the court in Dinerstein relied on a Seventh Circuit opinion to determine the issue of standing in the context of a breach of contract claim:
“When one party fails to honor its commitments, the other party to the contract suffers a legal injury sufficient to create standing even where that party seems not to have incurred monetary loss or other concrete harm.” J.P. Morgan Chase Bank, N.A. v. McDonald, 760 F.3d 646, 650–51 (7th Cir. 2014).
The court reasoned that, although Plaintiff could not claim any monetary losses or concrete harms, Plaintiff was able to show an injury-in-fact by alleging a breach of contract for the promises that the University made in Plaintiff’s admission agreements. Since Plaintiff adequately alleged the existence of a contract and identified the terms that were supposedly breached, Plaintiff had the requisite standing to bring suit.
Breach – Did Defendants’ HIPAA Privacy Notices Constitute a Breach of Contract?
In order to state a claim for a breach of contract, a plaintiff needs to show that a contract actually existed and that it was breached.
With regards to the University’s contractual promises to comply with federal laws governing patient confidentiality, the court found that Plaintiff sufficiently pleaded a HIPAA violation in breach of the University’s admission agreements. Under the HIPAA Privacy Rule, the sale of a patient’s PHI requires the patient’s written authorization.
The court reasoned that Plaintiff’s data could be accurately categorized as PHI because the University failed to remove all identifying elements from the data, such as admission and discharge dates. It further found the PHI was subject to a “sale” because the DUA granted the University a “nonexclusive, perpetual license to use the Trained Models and Predictions” created by Google “for internal non-commercial research purposes,” which qualified as direct or indirect remuneration. The court noted that HIPAA confirms that “remuneration” does not refer only to payments of money. Accordingly, the court found that the University had breached its admission agreements with Plaintiff regarding Plaintiff’s patient privacy and promises to seek consent prior to sale of PHI.
Damages – Could Plaintiff Recover Economic Damages?
Typically, to recover on a breach of contract claim, the plaintiff must allege an injury and be made whole by an award of economic damages.
Illinois generally does not recognize emotional distress damages for breaches of contract. Thus, the court denied finding non-economic damages such as emotional distress as valid damages to satisfy a breach of contract claim.
In the alternative, the Plaintiff advanced theories for money damages that included a portion of his payment for treatment at UCMC to be the “cost of privacy” that he did not receive the benefit of, or that he was owed royalties for the use of his health information. The court found that none of the Plaintiff’s theories for money damages were adequate. Although Plaintiff was able to establish standing as a threshold issue even without showing any monetary loss or other concrete harm, Plaintiff could not make a case for damages sufficient to support a breach of contract claim. Accordingly, the court granted Defendants’ motions to dismiss for failure to state a claim for relief for breach of contract.
What Counts as De-identified PHI?
Though this case was decided on the court’s finding that Plaintiff lacked damages to support a breach of contract claim, it is worth briefly discussing the role that de-identification of HIPAA data played in the court’s decision.
The U.S. Department of Health and Human Services outlines two acceptable methods of de-identification under HIPAA: the “safe harbor” and “expert determination” methods. Under the safe harbor method, 18 identifiers must be removed from health data, such as names and dates (birthdays, admission/discharge dates). Otherwise, under the expert determination method, an expert must determine that the risk of re-identification is very small.
In this case, plaintiff argued that the sharing of EHR and free-text medical notes to Google with allegedly improper redaction of medical information would have failed an expert determination.
Unfortunately, the case at the dismissal stage does not reach the factual question whether Google would in fact have combined multiple data sets to re-identify any health data it received from the University. If this case had gone past the dismissal stage, it would have been an interesting discussion to see the court decide upon whether the information provided to Google was adequately de-identified.
The reason for the close scrutiny regarding the adequacy of de-identification is due to advances in machine learning and artificial intelligence techniques that have the ability to re-identify previously de-identified data sets by the combination of separate data sets. One study found that de-identified data collected from wearable trackers could be accurately reidentified in certain cases up to 80% of children and 95% of adults.
In this case, there was a likely chance that Google may have been able to reidentify the data sets it received from the University. Given that Plaintiff used a smartphone with Google applications with the ability to accurately pinpoint Plaintiff’s geolocation all through the duration of his stay as a patient at the University’s medical center, it is plausible that Google would have been able to combine the information it received from the University with other data it held.
Theoretical Application Under CCPA
Although the CCPA provides an exemption for health data governed by HIPAA (Cal. Civ. Code § 1798.145(c)), it may be illuminating to compare how this case would have turned out under a suit alleging violations of CCPA. This is because arguably only health data collected by covered entities is exempt from CCPA—other data may not be exempt, such as marketing data collected by a hospital or, on the other hand, biometric data captured by a FitBit through its fitness tracker or Facebook vis-à-vis its facial recognition photo tagging features.
The CCPA provides not only a private right of action, but also statutory damages of $100 to $750 per consumer per violation in a lawsuit. The statutory damages provided for in the CCPA mean that there is no need for a showing of actual damages. A consumer would not need to show they suffered any harm from a company disclosing their information—they would only need only to show that their nonencrypted or nonredacted personal information was breached due to inadequate security safeguards.
A class action brought on behalf of certified class members at $100 to $750 per violation regardless of actual damages means that violations involving hundreds of thousands to millions of records can quickly morph into multi-million-dollar headaches.
Outside of CCPA, the Illinois Supreme Court also held that plaintiffs may pursue claims under the Biometric Information Privacy Act (BIPA) with “no need to allege actual injury.” Rosenbach v. Six Flags Entertainment Corp., 129 N.E.3d 1197 (Ill. 2019). Since both CCPA and BIPA allow claims without the need to prove injury-in-fact, they can be said to confer standing. In this way, newer privacy laws appear to be signaling a trend toward reducing the plaintiff’s burden to bring suit.
Note however, that Article III standing in federal court is not automatically conferred whenever there is a statutory right; plaintiffs must still prove a concrete injury-in-fact. See Patel v. Facebook, Inc., 932 F.3d 1264, 1270 (9th Cir. 2019) (quoting Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1549 (2016), as revised (May 24, 2016) (Spokeo I)). However, certain circuits, including the Ninth Circuit, have recognized an invasion in privacy rights as a concrete harm, particularly in the context of BIPA and the capture of an individual’s biometric data. Patel, 932 F.3d at 1274.
The good news for companies is that the court in Dinerstein reaffirmed the ability for companies to share data after collecting affirmative consent.
The bad news is that HIPAA privacy notices can support breach of contract claims. This means that despite the fairly common practice of copying and pasting documents from other sources, companies must closely scrutinize their external and internal policies to ensure that the written policies accurately align to the company’s actual practices—or risk facing a claim of breach of contract. Finally, given the trend of privacy laws that allow consumers to recover without a showing of actual damages, a company’s legal defense may be less reliant on arguments for dismissal for plaintiffs’ lack of standing for failure to demonstrate injury-in-fact.