A new lawsuit against Google and the University of Chicago Medical Center alleges that researchers did not strip out date stamps or doctor's notes buried within hundreds of thousands of patient medical records, and that this information could be used to identify a patient.
The lawsuit shows a major challenge for Google and other large technology companies marching into health care. These companies are facing looming regulation from Washington and increased scrutiny about whether the proper steps have been taken to safeguard data, especially in how the company allows third-party marketers to target users with ads. It also faced an outcry when a U.K. government privacy watchdog said a hospital had illegally sent 1.6 million records to Google DeepMind for a new health care app.
In the wake of that, the company recently hired a health system executive, David Feinberg, to streamline its health efforts and create more unity among the various teams. Since Feinberg's hiring, several units have been folded into Google Health, including Deep Mind's health division, which was previously based in London. DeepMind has stressed that no patient data has been linked with Google products or services.
Google and the University of Chicago have been partnering since 2017 in research aimed at what they said would "create predictive models that could help prevent unplanned hospital readmissions, avoid costly complications and save lives."
The complaint was filed Wednesday on behalf of Matt Dinerstein, a patient with the University of Chicago Medical Center.
It argues that dates of service can be used to identify subjects, because "Google — as one of the most prolific data mining companies — is uniquely able to determine the identity of every medical record the University released."
In other words, because Google already knows people's location, their searches and their interests, theoretically that information could be used with dates of service to identify a specific individual.
It then accuses the university of consumer fraud and fraudulent business practices because it did not keep his private records confidential.
In a statement, Google said: "We believe our healthcare research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data. In particular, we take compliance with HIPAA seriously, including in the receipt and use of the limited data set provided by the University of Chicago."
The medical center said the lawsuit's claims are without merit.
"That research partnership was appropriate and legal and the claims asserted in this case are baseless and a disservice to the Medical Center's fundamental mission of improving the lives of its patients," a spokesperson said. "The University and the Medical Center will vigorously defend this action in court."
HIPAA, the federal privacy rule for health records and information, clearly outlines two methods for de-identifying data. One of them, the so-called "safe harbor" method, specifies that "all elements of dates," should not be shared, in order for a company to claim that the patient health information data is, in fact, de-identified. That includes dates of service, which the University of Chicago shared with Google.
There's another method, called "expert determination," where a statistician or other expert claims that it's unlikely that the data could be used to re-identify a person.
But there are times when health systems can transfer patient information.
Personal health information can be transferred between organizations as part of a so-called business associate agreement, said Lucia Savage, a health privacy lawyer with the digital health company Omada Health. These agreements ensure that personal health information is provided in a secure manner. And there are guidelines around the use of limited data sets in medical research.
That requires a company like Google to sign a data-use agreement with a health provider, and it specifies that really specific data like names and telephone numbers cannot be shared. In this case, Google would be required to safeguard the data, said David Harlow, a principal with The Harlow Group. And the lawsuit would need to prove that it did not.
But as tech companies march into health care, and see value in data, that could prompt debate about the proper uses of patient information. In some cases, that might mean more oversight of companies that sell it to third-parties or form collaborations with Big Pharma.
Ultimately, Google and other tech companies will need to determine whether they view their role in health as bolstering medical research to potentially save lives, or whether they will look to take advantage of the $3.5 trillion health-care sector in unforeseen ways.