Health Law Daily HIPAA violations lawsuit dismissed over lack of monetary damages
News
Tuesday, September 8, 2020

HIPAA violations lawsuit dismissed over lack of monetary damages

By Jeffrey H. Brochin, J.D.

Despite sufficient allegations that the University of Chicago breached agreement regarding privacy of patient’s Protected Health Information (PHI), and a prima facie showing of HIPAA violations, patient’s lawsuit was dismissed over failure to show he suffered monetary damages.

A federal district court in Illinois has dismissed the invasion of privacy lawsuit filed by a patient whose PHI was shared by the University of Chicago Hospital (University) with Google, LLC (Google) as part of a machine learning research project. Although the court found that they had Article III Standing jurisdiction to hear the case, and that the patient had demonstrated an injury in fact as a result of the breach of the University’s Notice of Privacy Practices (NPP), his theories in support of his claim for money damages were inadequate because he did not plead that the University’s breach caused him economic damage (Dinerstein v. Google, LLC, September 4, 2020, Pallmeyer, R.).

Predictive health models research. In 2017, the University and Google entered into a research partnership in which they used machine-learning techniques to create predictive health models aimed at reducing hospital readmissions and anticipating future medical events. As part of this research, the University disclosed to Google the ‘de-identified’ electronic health records (EHRs) of all adult patients treated at its hospital from January 1, 2010 through June 30, 2016. The plaintiff was an inpatient at the University in June 2015 and, after learning that his PHI (which he claimed was not adequately anonymized) was shared with Google, he filed suit alleging breach of contract, violations of HIPAA, and common law ‘intrusion upon seclusion’ claims. The university and Google both moved to dismiss the complaint.

Standing ‘not dispensed in gross’. The patient alleged that the University expressly made certain promises about privacy which were subsequently breached. The court found that the weight of legal authority supported the conclusion that the allegation that the University breached an express contract were sufficient for Article III standing purposes. However, the court further noted that standing ‘is not dispensed in gross’ and the patient was required to demonstrate standing for each claim and each form of relief he sought. Although he had standing to pursue his contract claims, including his interference of contract claim against Google, the court reviewed his other injuries independently to determine whether he had standing to pursue his intrusion-upon-seclusion and other claims.

Intrusion-upon-seclusion claim. The court found that the patient did not need to show actual loss to establish standing for common-law claims of invasion of privacy and intrusion upon seclusion, and that the alleged privacy violations were sufficient to establish standing for those tort claims. They were persuaded that the patient sufficiently pleaded an injury in fact, in light of the common law tradition’s recognition that an individual has standing to challenge an invasion of his privacy, and they concluded that for his common law intrusion-upon-seclusion claim, the invasion of his privacy constituted an injury-in-fact that could support standing.

Value of patient EHRs. The patient asserted ‘concrete and particularized harm’ by way of the alleged theft of his medical information, which he insisted had commercial value and was something that he had a legal interest in pursuant to HIPAA. However, the court found that he cited no authority supporting the proposition that HIPAA creates a property interest in health data. He further contended, without citations, that the common law and the University’s contractual obligations also established his legal interest in his own medical information. The court disagreed, finding that he neither developed nor supported a separate argument that the common law or his contract created a legal interest in his data. Furthermore, even if he had a property interest in his medical information, his allegations did not support an inference that the value of that property was diminished by the University’s or Google’s actions.

HIPAA as the substance of the contract claim. The court next examined the issue as to whether the patient had pleaded that the University breached the contract by violating HIPAA. Under HIPAA’s safe harbor provisions, the University was permitted to disclose medical information under certain circumstances: First, a covered entity, such as the University, was allowed to disclose a ‘limited data set’ if it excluded certain direct identifiers; was used for ‘research, public health, or health care operations’; and if the disclosure was made pursuant to a ‘data use agreement’ (DUA) that included certain provisions governing the use of the medical information. HIPAA also allowed a covered entity to disclose PHI for research when approved by an Institutional Review Board (IRB), which was in fact the case here.

The patient did not plead that the University and Google failed to comply with the requirements of those HIPAA regulations, rather, he argued that he need not do so because those were affirmative defenses. But the court read his allegations as setting forth everything necessary to satisfy those affirmative defenses, and that the complaint itself actually affirmatively asserted that the disclosures were made for research. The court concluded that with respect to the two safe harbors, the patient did not presented allegations that suggested a HIPAA violation.

Failure to establish damages. Finally, the court examined whether the patient had plausibly alleged that the breach caused him damages. He had alleged that he suffered non-economic damages, such as anxiety and emotional distress, but his response to the University’s and Google’s motions did not characterize those harms as part of his contract damages, and, as the University noted, Illinois does not recognize emotional distress damages for breaches of contract.

The court referenced the Authorization that the patient signed at the University which contained a provision disclaiming the right to receive compensation from the University’s research: ‘I acknowledge that such research by the University of Chicago Medical Center may have commercial value and, in that event, I understand that I will not be entitled to any compensation, regardless of the value of such research or any products or inventions developed therefrom.’ Accordingly, the court concluded that none of his theories for money damages were adequate, and they granted the motions to dismiss.

The case is No. 1:19-cv-04311.

Attorneys: Jay Edelson (Edelson PC) for Matt Dinerstein. Michael G. Rhodes (Cooley LLP) for Google, LLC. Brian Douglas Sieve (Kirkland & Ellis LLP) for The University of Chicago and The University of Chicago Medical Center.

Companies: Google, LLC; The University of Chicago; The University of Chicago Medical Center

MainStory: TopStory CaseDecisions FederalLegislation HIPAANews CyberPrivacyFeed DataPrivacy LitigationEnforcement IllinoisNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Health Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.