In a ruling that could have broad ramifications for health data sharing, a federal judge has ruled that a patient complaining about a hospital sharing his health data without permission lacked standing because he suffered no loss.
The case arose out of University of Chicago Medical Center patient Matt Dinerstein’s concerns about the hospital’s arrangement with Google. The hospital and Google partnered to share thousands of de-identified patient records. At the heart of the initiative was a machine learning project using Google’s electronic medical records data. The objective was to improve healthcare outcomes, for instance reducing care complications.
In a suit filed last June, Dinerstein argued the arrangement violated HIPAA. The partners had not obtained consent to share data. Nor had they informed patients that they would be sharing their data.
A federal judge dismissed the suit last week. The court rejected Dinersteins arguments that his medical records had commercial value, and their appropriation was theft. Both the University of Chicago and Google argued that their data sharing practices were HIPAA compliant. And they contended that Dinerstein’s allegations of fraud and deceptive business practices were meritless since he had voluntarily shared his medical data.
The gist of the defendants’ argument was that Dinerstein offered no contractual or Common Law authority to support his contention that he had a legal interest in his personal health information (PHI). But even if he had, he could not show that their actions had diminished the value of any property interest. And finally, he had shown no pecuniary damages stemming from the alleged contractual breach.
Critics complained that the partnership enabled Google to access mammoth amounts of PHI without patient consent. The partners argued that the material was de-identified data. Critics countered that the ostensibly de-identified data contained physician notes and dates, thereby nullifying any de-identification. The issue implicated partnerships other than the one with University of Chicago. Google has similar arrangements with other partners.
It has consistently maintained that its partnerships adhere to HIPAA mandates. The sole objective was to improve healthcare. Even so, unease with the practice has prompted Congress to query if it is time to update HIPAA in an age of Big Data and corona.
The court ultimately determined that the defendants had the better argument on procedural grounds. Without monetary harm, breach of contract would not confer standing.
“The alleged invasion of Plaintiff’s privacy is an injury in fact that can support his claim of intrusion upon seclusion,” the court suggested. “Dinerstein seems to suggest that the statutes at issue here—HIPAA and the MPRA—also create a legal interest in his health information… [but] has cited no authority supporting the proposition that HIPAA or the MPRA creates a property interest in health data.”
The court stressed that Congress had not created a private right of action for HIPAA. Dinerstein could not sidestep this by pursuing it as a breach of contract claim.
The decision raises three interesting implications for the future
First, it ignores that personal data is bought and sold. A marketplace reflects value. And that is regular citizen PHI. Celebrities from Kim Kardashian to Prince have long dealt with insiders selling their PHI. UCLA paid $856,000 to resolve allegations that personnel sold Kardashian data. Other high profile individuals such as Britney Spears, George Clooney, Farrah Fawcett, Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio have also had their PHI sold.
Second, the court’s reasoning that PHI’s lack of economic value translates to the absence of Article III standing means that HIPAA violators are accountable only to regulators.
Third, the decision went against a state court trend we have previously analyzed: the principle that HIPAA sets the standard of care for privacy. Like any other tort claim, deviation from this standard of care that results in a loss of privacy is a cognizable injury that gives rise to a claim.
Only time will tell if the decision is an outlier or a harbinger of future HIPAA or privacy holdings. If federal and state courts adhere to their current courses, the outcomes of privacy lawsuits will hinge on the forum rather than the facts or legal theories presented.