Two years ago, the University of Chicago Medicine announced it was teaming up with Google to study ways in which to use electronic medical records to make discoveries that could improve the quality of healthcare.
The collaboration would focus on using machine-learning techniques to predict hospitalizations and identify instances where a patient’s health is declining, the University of Chicago announced in May 2017.
On Wednesday, the University of Chicago, its medical center and Google were sued in a potential class-action lawsuit accusing the hospital of sharing hundreds of thousands of patient records with the tech giant that retained identifiable date stamps and doctors' notes.
The lawsuit (PDF) was filed by Chicago-based law firm Edelson PC in United States District Court for the Northern District of Illinois—on behalf of a former University of Chicago Medical Center patient—with the goal of expanding it into a class-action lawsuit if other patients come forward.
According to the lawsuit, UChicago patient Matt Dinerstein was admitted to the hospital for two stays in June 2015. The lawsuit claims that the UChicago disclosed Dinerstein's confidential medical information to Google and that the hospital did not "properly de-identify the patient's medical health records and included date stamps associated with his procedures as well as free-text notes from his doctors and nurse."
Both Google and UChicago have said the collaboration only involved de-identified data from medical records. The data-sharing collaboration involved patients seen at UChicago from 2009 to 2016.
"Publicly, Google and the University touted the security measures used to transfer and store these records, along with the fact that they had been 'de-identified.' In reality, these records were not sufficiently anonymized and put the patients’ privacy at grave risk," the lawsuit states.
Partnerships between health systems and tech companies are becoming fairly common as the healthcare industry pushes forward to use data analytics and machine learning to improve clinical diagnosis and better predict disease. Other hospitals like Stanford University and the University of California, San Francisco, have also struck deals with Google.
The lawsuit underscores concerns about patient privacy and could potentially raise issues about the use of patient data in these research projects.
"An implied question seems to be whether data can truly be de-identified at this point in time, especially when provided to a big tech company like Google. However, HIPAA does have clear standards on how to de-identify information, and if those are followed, then the data are de-identified," Matthew Fisher, a partner with Boston-based law firm Mirick O’Connell, said.
As healthcare providers and tech companies continue to work together, the key is to know the specific details of every situation and then analyze the facts to determine how HIPAA applies and what it will require, Fisher said.
A spokesperson for UChicago’s medical center said the claims in the lawsuit are without merit. "The University of Chicago Medical Center has complied with the laws and regulations applicable to patient privacy," the spokesperson said.
UChicago's research partnership was "appropriate and legal," the hospital spokesperson said. "The claims asserted in this case are baseless and a disservice to the Medical Center’s fundamental mission of improving the lives of its patients. The University and the Medical Center will vigorously defend this action in court."
A Google spokesman said in a statement, "We believe our healthcare research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data. In particular, we take compliance with HIPAA seriously, including in the receipt and use of the limited data set provided by the University of Chicago."
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does permit healthcare organizations to disclose a limited data set for the purposes of research and as part of a data use agreement, as outlined by the National Institutes of Health.
A limited data set is described as health information that excludes certain direct identifiers such as name, postal address, Social Security number and medical record number but can include city, state and ZIP code and elements of date, such as admission and discharge dates, according to the NIH.
This limited data set can be shared for research purposes without an individual's authorization, according to the NIH.
The data was also used in a study conducted by UChicago, Google, the University of California, San Francisco and Stanford University to build software models that could accurately predict unplanned readmissions to the hospital, prolonged length of stay and discharge diagnoses. That study, published last year in npj Digital Medicine, analyzed "de-identified" EHR data from more than 216,000 patients seen at either UChicago or the University of California, San Francisco.
But Jay Edelson, founder of Edelson PC, said in a statement that the data sharing of identifiable data constitutes a breach.
"We believe that not only is this the most significant health care data breach case in our nation’s history, but it is the most egregious given our allegations that the data was voluntarily handed over by one of the most trusted hospitals in the country to the largest data miner in the world," he said. Edelson's law firm specializes in class actions against technology companies for privacy violations, according to The New York Times.
The lawsuit also claims that Google has the ability to reidentify patients due to its access to public and nonpublic information and its ability to collect information from consumers through its Android smartphone and geolocation data through apps like Google Maps and Waze.
"Google—as one of the most prolific data mining companies—is uniquely able to determine the identity of almost every medical record the University released," the lawsuit states.
The lawsuit claims that this ability is only increased by and through Google’s direct subsidiary, DeepMind, an international leader in artificial intelligence machine learning.
"Google’s access to DeepMind’s technology allows it to find connections between various data points, i.e., from EHRs and Google users’ data," the lawsuit states.
Google's DeepMind, a London-based artificial intelligence lab owned by Google’s parent company, Alphabet, has faced scrutiny over a controversial patient data-sharing arrangement with Britain's National Health Service. In 2016, DeepMind was accused of violating patient privacy after it struck a deal with the NHS to process medical data for research, according to the New York Times.
The group inside DeepMind that acquired the data from NHS has since been transferred to Google, which has raised additional complaints from privacy advocates in Britain. DeepMind had previously said data would never be shared with Google, the New York Times reported.
The Department of Veterans Affairs is partnering with Google’s DeepMind to analyze patient records and build a model that can predict when a patient's condition is deteriorating.
Google also appears to have plans to develop its own EHR for clinicians that gathers patients’ medical records and then leverages machine learning to predict clinical outcomes, according to a patent application published by the U.S. Patent and Trademark Office back in February.
Finally, the lawsuit alleges that UChicago did not notify its patients, "let alone obtain their express consent before turning over their confidential medical records to Google for its own commercial gain" and also "engaged in a cover-up to keep the breach out of the public eye so as to avoid the public backlash."