Is Data Sharing Caring Enough About Patient Privacy? Part II: Potential Impact on US Data Sharing Regulations

Research output: Other contributionNet publication - Internet publicationResearchpeer-review

Timo Minssen, Sara Gerke, Carmel Shachar

A recent US lawsuit highlights crucial challenges at the interface of data utility, patient privacy & data misuse By Timo Minssen (CeBIL, UCPH), Sara Gerke & Carmel Shachar Earlier, we discussed the new suit filed against Google, the University of Chicago (UC), and UChicago Medicine, focusing on the disclosure of patient data from UC to Google. This piece goes beyond the background to consider the potential impact of this lawsuit, in the U.S., as well as placing the lawsuit in the context of other trends in data privacy and security. Dinerstein v. Google is well-positioned to be an important case in how data is shared between medical providers and health tech companies. First, it touches upon a series of impactful and as yet unresolved questions regarding the boundaries of data sharing and data use, such as concerns regarding data triangulation. Second, the plaintiff’s lawyers, Edelson PC, specialize in class-action lawsuits and are likely able to build this case competently by acquiring additional patients as plaintiffs whose electronic health records (EHRs) were shared with Google. Overall, this case has the potential to evolve into a landmark case with regard to questions of when and under what circumstances patient data may be shared, whether patient data can be truly de-identified, and what could be potential safeguards. One of the most interesting aspects about this case is the problem of data triangulation. The defendants claim that the data set shared by UChicago Medicine was de-identified, and therefore complied with HIPAA. The plaintiff, however, contends that the defendants did not follow HIPAA’s de-identification rules in sharing and receiving the data set in part because Google could easily re-identify patients by combining the UC data with their own data sets. In some ways, this argument reveals the extent to which HIPAA is showing its age. What health information is considered individually identifiable in the 21st century? Indeed, it is true that with more and more data sources and greater computational power, we can now re-identify most data if we truly want to. There is a strong need to update HIPAA to reflect not only whether patients are identifiable upon first pass at the data, but also how easily the data can be used for re-identification. Perhaps, the same way that we evaluate mergers for anti-trust concerns based on the unique capabilities and circumstances of the merging parties, we need to create a “re-identification” analysis that must be passed before entities are allowed to share data sets. Or perhaps there is a need for third-party clearinghouses to analyze the data but ensure that complimentary data sets are kept separate to avoid the risk of re-identification. Regardless, Dinerstein v. Google is one of the first cases to bring a theory of data triangulation forward. Whether we implement data privacy protections to reflect the risks of data triangulation may depend on the reception the court gives to this theory. Of course, data triangulation is only one of the issues that Dinerstein v. Google could impact. And while data privacy is an important policy goal—one that should shape American data regulation—it is important to remember the potential that our big data frontier holds in terms of addressing access to care, improving the efficiency of health care delivery, and addressing health care costs. But we should ensure to harness its power thoughtfully by making sure our data privacy regulations reflect our current computational abilities. Unsurprisingly such issues are also heavily discussed in other regions of the world, such as in European general policy, or in more specific health care or clinical trials transparency debates. Hence, we assume that European stakeholders will monitor the developments in Dinerstein v. Google very carefully. It is further likely that the case will be frequently cited during the recently initiated proceedings at the Court of Justice of the European Union (CJEU) concerning the U.S./European “Privacy Shield” agreement on international data transfer. This research is supported by a Novo Nordisk Foundation-grant for a Collaborative Research Programme (grant agreement number NNF17SA027784).
Original languageEnglish
Publication date29 Jul 2019
PublisherHarvard Law School's Bill of Health blog
Publication statusPublished - 29 Jul 2019

ID: 224943524