Posted on Leave a comment

HIPAA, Google, and Article III Standing, With a Nod to Kim Kardashian

Google Shidonna Raven Garden and Cook

Saad GulMichael Slipsky, Poyner Spruill LLP+ Follow 

In a ruling that could have broad ramifications for health data sharing, a federal judge has ruled that a patient complaining about a hospital sharing his health data without permission lacked standing because he suffered no loss.

The case arose out of University of Chicago Medical Center patient Matt Dinerstein’s concerns about the hospital’s arrangement with Google. The hospital and Google partnered to share thousands of de-identified patient records. At the heart of the initiative was a machine learning project using Google’s electronic medical records data. The objective was to improve healthcare outcomes, for instance reducing care complications.

In a suit filed last June, Dinerstein argued the arrangement violated HIPAA. The partners had not obtained consent to share data. Nor had they informed patients that they would be sharing their data.

A federal judge dismissed the suit last week. The court rejected Dinersteins arguments that his medical records had commercial value, and their appropriation was theft. Both the University of Chicago and Google argued that their data sharing practices were HIPAA compliant. And they contended that Dinerstein’s allegations of fraud and deceptive business practices were meritless since he had voluntarily shared his medical data.

The gist of the defendants’ argument was that Dinerstein offered no contractual or Common Law authority to support his contention that he had a legal interest in his personal health information (PHI). But even if he had, he could not show that their actions had diminished the value of any property interest. And finally, he had shown no pecuniary damages stemming from the alleged contractual breach.

Critics complained that the partnership enabled Google to access mammoth amounts of PHI without patient consent. The partners argued that the material was deidentified data. Critics countered that the ostensibly deidentified data contained physician notes and dates, thereby nullifying any deidentification. The issue implicated partnerships other than the one with University of Chicago. Google has similar arrangements with other partners.

It has consistently maintained that its partnerships adhere to HIPAA mandates. The sole objective was to improve healthcare. Even so, unease with the practice has prompted Congress to query if it is time to update HIPAA in an age of Big Data and corona.

The court ultimately determined that the defendants had the better argument on procedural grounds. Without monetary harm, breach of contract would not confer standing.

“The alleged invasion of Plaintiff’s privacy is an injury in fact that can support his claim of intrusion upon seclusion,” the court suggested. “Dinerstein seems to suggest that the statutes at issue here—HIPAA and the MPRA—also create a legal interest in his health information… [but] has cited no authority supporting the proposition that HIPAA or the MPRA creates a property interest in health data.”

The court stressed that Congress had not created a private right of action for HIPAA. Dinerstein could not sidestep this by pursuing it as a breach of contract claim.

The decision raises three interesting implications for the future

First, it ignores that personal data is bought and sold. A marketplace reflects value. And that is regular citizen PHI. Celebrities from Kim Kardashian to Prince have long dealt with insiders selling their PHI. UCLA paid $856,000 to resolve allegations that personnel sold Kardashian data. Other high profile individuals such as Britney Spears, George Clooney, Farrah Fawcett, Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio have also had their PHI sold.

Second, the court’s reasoning that PHI’s lack of economic value translates to the absence of Article III standing means that HIPAA violators are accountable only to regulators.

Third, the decision went against a state court trend we have previously analyzed: the principle that HIPAA sets the standard of care for privacy. Like any other tort claim, deviation from this standard of care that results in a loss of privacy is a cognizable injury that gives rise to a claim.

Only time will tell if the decision is an outlier or a harbinger of future HIPAA or privacy holdings. If federal and state courts adhere to their current courses, the outcomes of privacy lawsuits will hinge on the forum rather than the facts or legal theories presented.

How are your medical records being shared? Do you know? How would you prefer your medical records to be shared? Do you doctors know? How can this impact the care they give you? How can a breach or sharing of your medical records impact your health outcomes?

Share your comments with the community by posting them below. Share the wealth of health with your friends and family by sharing this article with 3 people today. As always you are the best part of what we do. Keep sharing!

If these articles have been helpful to you and yours, give a donation to Shidonna Raven Garden and Cook Ezine today.

Posted on Leave a comment

Yes, Google’s using your healthcare data – and it’s not alone

Google Shidonna Raven Garden and Cook

There’s a multi-billion dollar industry built around collecting healthcare data and anonymizing it so it can be used for research; it’s perfectly legal.

Source: Computer World
By Lucas Mearian
Senior Reporter, Computerworld | NOV 15, 2019 9:49 AM PST
Featured Photo Source: Unsplash, Mitchell Luo

Google is working with one of the largest healthcare systems in the U.S. to collect patient data on millions of Americans in 21 states and across 2,600 hospitals or clinics in order to analyze it and come up with advice for better patient care and cost cutting measures.

The project was reportedly revealed by a whistleblower who said the program, dubbed “Project Nightingale,” involved Ascension – the largest Catholic health system in the world – and up to 50 million private medical records from healthcare providers.

It wasn’t Google’s only public controversy this week. Shortly after its deal with Ascension became public, The Washington Post reported that the National Institutes of Health (NIH) stopped the tech giant from posting more than 100,000 human chest x-rays.

Although the x-rays were part of a 2017 joint project with the NIH, the government agency discovered some of the images contained personally identifiable information of patients.

As for its deal with Ascension, Google said it had revealed plans to use its cloud data analytics to cull information from Ascension’s patient data during a Q2 earnings call in July, though “Project Nightingale” was never mentioned during that call. “We announced ‘Google Cloud’s AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes,'” Google Cloud President Tariq Shaukat said in a blog post.

“Our work with Ascension is exactly that – a business arrangement to help a provider with the latest technology, similar to the work we do with dozens of other healthcare providers, Shaukat wrote. The list of care providers and healthcare records tech  companies includes the Cleveland Clinic, the American Cancer Society, McKesson and Athena.

Shaukat said Google has a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care.

“This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care,” Shaukat said.

No matter how well intentioned the project’s overseers say it is, the collection of private medical data has raised the ire of patients and lawmakers who have called for a federal inquiry into the practice.

The Office for Civil Rights in the Department of Health and Human Services “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” the office’s director, Roger Severino, said in a statement.

Third parties compiling patient data is not only common among healthcare providers and analytics tech firms, it’s perfectly legal – as long as patients have given consent by signing a common HIPAA form. And, wittingly or not, most have done so, according to Cynthia Burghard, a research director at IDC.

“Databases of this size are not uncommon,” Burghard said. “On face value, I don’t see an issue. They [Google] signed the HIPAA compliant document for business associate arrangements. So, they complied with the law there. When you go to a healthcare provider’s office as a patient, you sign a HIPAA release form, which allows the institutions to use your data for medical research or improved care management; so there is patient consent there.

“That said, long term can you trust Google or any high-tech company … who’s used to monetizing assets to not do something bad?” Burghard said.

Many healthcare providers are storing patient data for analytics purposes in a cloud somewhere, whether it’s Amazon Web Services, Microsoft’s Azure or Google Cloud.

In September, controversy around patient privacy erupted when Google acquired the health division of London-based AI firm DeepMind, which built a healthcare app used to give clinicians at National Health Service [NHS] hospitals easy access to medical records. DeepMind’s Streams app was already controversial after a UK privacy watchdog found the NHS had illegally handed 1.6 million patient records to DeepMind as part of a trial.

Last year, Amazon, JPMorgan and Berkshire formed a partnership to create a private healthcare company aimed at lowering the cost of care.

According to Adam Tanner, author of the book “Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records,” businesses that have nothing to do with medical treatment are allowed to buy and sell healthcare data, provided they remove certain fields of information, including birth date, name and Social Security number.

The guidelines, outlined in U.S. HIPAA rules, have allowed a multi-billion-dollar market  in anonymized patient data to emerge in recent years, with data-mining firms collecting dossiers on hundreds of millions of patients, according to Tanner. A growing number of data scientists and healthcare experts say the same computing advances that allow the aggregation of millions of anonymized patient files into a dossier also make it increasingly possible to re-identify those files — that is, to match identities to patients.

An earlier study by Carnegie Mellon University showed how anonymized U.S. Census data could uniquely, or nearly uniquely, identify some individuals simply by combining a few characteristics found in populations.

“Clearly, data released containing such information about these individuals should not be considered anonymous. Yet, health and other person-specific data are publicly available in this form,” said Latanya Sweeney, the report author and director of the Data Privacy Lab at Carnegie Mellon University.

The healthcare information, stripped of basic personal identifiers is sold off to researchers, drug developers, marketers and others. Medical informatics companies, such as Iqvia (IMS Health), Optum, and Symphony Health reap the profits of selling the healthcare data while the people from whom it’s collected have no control over how it’s used. Nor do they get any compensation for it.

Last year, start-up partnered with IBM to develop a blockchain-based electronic ledger that gives consumers the cryptographic key to their personal data, even allowing patients or others to control the specific purpose for which it’s used, while also allowing them to eventually profit from it.

In 2015, IBM launched its Watson Health global analytics cloud to enable healthcare providers and researchers to upload and analyze patient data for greater insights into trends and to “improve individual and overall patient outcomes.” The next year, IBM bought Truven Health Analytics for $2.6 billion, adding a trove of previously amassed patient data to its collection. It was IBM’s fourth major health data-related acquisition since launching the Watson Health unit.

At the time of the Truven buyout, IBM Health announced it had healthcare data on “approximately 300 million patient lives,” most from the U.S.

When IBM bought Truven, it got tens of millions of records and years of [health insurance] claims data “they could monetize by selling analysis and reports and access to your claims data,” Burghard said.

In the same way, Google’s cloud analytics platform uses AI and machine learning to process patient data and deliver potential best practices for care and cost savings.

Amazon, Apple, Microsoft and other tech giants are also entering the healthcare arena, either with applications that enable access to patient electronic healthcare records, or with their own in-house healthcare programs.

Earlier this year, pharmacy giant CVS and its healthcare insurance subsidiary, Aetna, released an app that lets members opt-in to sharing their EMRS with Apple’s health service; in turn, Apple will offer Apple Watch wearers personalized fitness and health goals.Related: 

Senior Reporter Lucas Mearian covers financial services IT (including blockchain), healthcare IT and enterprise mobile issues (including mobility management, security, hardware and apps).Follow

Copyright © 2019 IDG Communications, Inc.

Should health care providers disclose and ask how you would like your health care information shared? What do you think about your health care information being monetized? What do you think about your health care information being used without your permission.

Share your comments with the community by posting them below. Share the wealth of health with your friends and family by sharing this article with 3 people today. As always you are the best part of what we do. Keep sharing!

If these articles have been helpful to you and yours, give a donation to Shidonna Raven Garden and Cook Ezine today.

Posted on Leave a comment

COVIDWISE – Contact Tracing

Exposure Notifications System: Helping Health Authorities fight COVID-19

Shidonna Raven Garden and Cook
COVIDWISE & Contact Tracing
Source: Virginia Department of Health
Shidonna Raven Garden and Cook

Click the Link above to learn more and get the app. Got the app? Share your experience with the community by posting your comments here. Who do you know that could be helped by this article? Do you know of anyone with COVID 19? How have things changed for you and yours since COVID 19? Share the wealth of health with your friends and family by sharing this article with 3 people today. As always you are the best part of what we do. Keep sharing!

If these articles have been helpful to you and yours, give a donation to Shidonna Raven Garden and Cook Ezine today.