United States: NDIL Opinion Tossing Patient Privacy Class Action Offers Lessons Learned On Using De-identified Data

Last month, the U.S. District Court for the Northern District of Illinois dismissed a lawsuit brought by Matt Dinerstein, on behalf of a class, against The University of Chicago and The University of Chicago Medical (collectively "the University") and Google for allegedly violating federal and state health privacy laws. The Court found that Dinerstein lacked standing to pursue one claim and failed to state a claim upon which relief can be granted.

The University and Google partnered to research and develop artificial intelligence products designed to create predictive health models aimed at reducing hospital readmissions and anticipating future medical events. As part of this research, the University transferred "de-identified" electronic health records of all adult patients who were treated at the University from 2010 to 2016 to Google.

However, Dinerstein alleged that the "de-identified" information was not adequately redacted or anonymized, and therefore put patient privacy at risk. The information included patient demographics, dates of service, provider notes, diagnoses, procedures, medications, laboratory values, vital signs, and flowsheet data from all inpatient and outpatient encounters. The plaintiff asserted that this information, when coupled with the vast information Google already collects, such as detailed geolocation information, can easily be combined to identify the patients associated with the health records. There were no allegations, however, that Google used its extensive data to re-identify any records.

Dinerstein Did Not Adequately Allege Money Damages to Establish Standing for the Consumer Fraud Claim, But Alleging Bare Violations of Contract and Privacy Rights Were Sufficient

To establish Article III standing, Dinerstein was required to demonstrate that: (1) he suffered an injury in fact that is concrete, particularized, and actual or imminent; (2) the injury was caused by the defendant; and (3) the injury would likely be redressed by the requested judicial relief. He identified breach of contract, invasion of privacy, and theft of his medical information as injuries in fact arguing they have "commercial value."

The court held that alleging a breach of contract without actual damage-while a close call-was enough to confer standing. Further, the court found that alleging any invasion of privacy-regardless of the magnitude of harm-was sufficient to confer standing. Of note, however, the court stopped short of adopting plaintiff's argument that HIPAA creates a property interest in health data. 

The court, however, held that Dinerstein failed to allege injuries sufficient under the Illinois Consumer Fraud and Deceptive Business Practices Act because the plaintiff failed to establish that he suffered an actual loss.¹ Here, Dinerstein's only argument was that, had he known about the University's privacy practices, he may have gone to a different hospital or paid less for his treatment. The Seventh Circuit has rejected this theory of "overpayment."²

Dinerstein Did Not Adequately Allege Money Damages to Establish Standing and State a Claim

The court then turned to the question of whether Dinerstein was able to state a claim for the contract, business tort, and privacy claims.

For the contract claims, the court first agreed with the plaintiff that while HIPAA lacks a private right of action, a contract requiring the party to be "in compliance with" federal law can rely upon HIPAA provisions to define the claim. The court noted that HIPAA safe harbors permit the disclosure of medical information when using a limited data set for research or when such disclosure is approved by an Institutional Review Board. Dinerstein, however, did not plead that the University and Google failed to comply with these provisions.  However, Dinerstein's allegations did meet the pleading standard for the unauthorized "selling" of protected health information because even indirect non-monetary compensation-in this case, a license to use Google's training models and predictions for "internal non-commercial research purposes"-constitutes a sale under HIPAA. 

Similar to the lack of standing reasoning, however, the court dismissed the plaintiff's breach of contract claim concluding that "none of his theories for money damages is adequate." The court reiterated that the "overpayment" theory is not a cognizable measure of damages in Illinois. Further, there is no property right in the use of PHI, so his claimed entitlement to a "reasonable royalty" failed. The court further stated that "[a]t most, his allegation suggests that some indeterminate amount of the price he paid for his treatment represents the cost of the University's privacy practices. This court agrees with others that have found such allegations to be insufficient."

The court also tossed the tortious interference with a contract claim against Google and the intrusion upon seclusion claim against both parties, concluding that the plaintiff did not sufficiently plead either claim. 

Lessons Learned from Dinerstein

1. Consider HIPAA's De-Identification Standards and Whether to Use An Expert Determination to Stave Off Litigation

Data that has been "de-identified" is not considered PHI and is not subject to the limitations set forth for PHI under HIPAA. De-identified information "does not identify an individual" and "there is no reasonable basis to believe that the information can be used to identify an individual."³ Information can be de-identified in two ways.

A covered entity may have an expert determine that health information is not individually identifiable. The expert should have "appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable" and should evaluate whether "the risk is very small that the information could be used, alone or in combination with other reasonably available information" to identify the individual.⁴ Alternatively, a covered entity can take advantage of the "safe harbor" by removing specific identifiers, provided the covered entity does not have actual knowledge that the information could be used to re-identify an individual. 

To reduce the risk of litigation, we suggest covered entities implement either the Expert Determination or Safe Harbor methods for de-identification. If your organization is implementing the Safe Harbor method, we recommend that parts or derivatives of any of the listed identifiers-e.g., a data set that contains patient initials or the last four digits of the SSN-are not disclosed. Additionally, in general, dates that are not permitted for disclosure, such as date of service, must not include the day, month, and any other information that is more specific than the year of the event. The court cited to the inclusion of "dates of service" in concluding that the data had not been de-identified under the Safe Harbor.  

2. Take Appropriate Care In Drafting Agreements, Consents, and Notices In Light of HIPAA's Prohibitions

Another lesson to take away from Dinerstein is that language in the documents sometimes viewed as perfunctory matter matters. Although the matter was presented on a motion to dismiss, the court walked through the contents of the notice of privacy practices (NPP), informed consent form, and the Data Use Agreement between the University and Google (the "DUA") in detail. 

Accordingly, parties looking to transfer data should thoughtfully draft data use agreements that set parameters on the use and transfer of data. Although not determinative, the court cited favorably several provisions in the data use agreement between the University and Google to govern the data sharing relationship and ensure adequate procedures and protections were implemented in connection with the data transfer. Provisions directly addressing relied-upon exceptions to HIPAA should be considered.
In addition, an informed consent that affirmatively authorized the sale of PHI would have been sufficient to meet the HIPAA requirements. Companies should broadly consider future uses of data and collect consents for those uses, regardless of whether the use is current or impending.

The same care should be taken in drafting NPPs. In evaluating the contours of the University's promise to obtain Dinerstein's written permission for the sale of PHI, the court evaluated the NPP that stated that the University would obtain written permission for the sale of medical information. Specifically, they considered whether the NPP should be "interpreted to be consistent with, or more or less stringent than, the HIPAA Privacy Rule?" The court found that, because the NPP contained promises that went beyond its obligations under HIPAA, its language was enforceable. Consider clarifying in your NPP that it should be read to be consistent with HIPAA and create no additional obligations or more closely tracking the HIPAA language to take advantage of any exceptions under HIPAA.  

3. Litigants Should Continue to Focus Their Arguments on Allegations of Harm and Damages

Lastly, the plaintiff's failure to convince the court that the challenged conduct resulted in harm that was recognized by the case law ultimately resulted in dismissal of the lawsuit. First, the court dismissed the consumer fraud claim because the plaintiff was unable to assert the type of damages that are required to show a cognizable harm under the law. Second, the court found that the disclosure of information implicated no violation of property rights and that overpayment for medical services is not a viable damages theory. We can expect the theories of damages to continue to evolve, with courts presented with novel arguments trying to assert that the disclosure of private information caused damages that can be remedied under the law. Litigants should continue to challenge these arguments in court, as thus far they have been fairly successful in privacy litigation and data breach litigation.

Footnotes

1 Benson v. Fannie May Confection Brands, Inc., 944 F.3d 639, 641 (7th Cir. 2019).

2 Remijas vs. Neiman Marcus Group, LLC, 794 F. 3d 688, 695 (7^th Cir. 2015).

3 45 C.F.R. § 164.514(a).

4 45 C.F.R. § 164.514(b).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.