Can Patient Data Be Truly ‘De-Identified’ for Research?

The lawsuit filed in a federal court in Illinois on June 26 by a former University of Chicago Medicine patient on behalf of other affected individuals alleges that patient health records were not properly de-identified by the hospital before they were shared without patient consent with Google to support the company’s predictive medical data analytics technology development efforts.

On its website, the University of Chicago Medicine says the collaboration signed in 2017 with Google was designed to study ways to use data in electronic medical records to make discoveries that could improve the quality of healthcare. The work focuses on using new machine-learning techniques to create predictive models that could help prevent unplanned hospital readmissions, avoid costly complications and save lives, the university says.

The lawsuit notes that HIPAA allows for sharing for research purposes patient information that has been de-identified by one of two de-identification methods. Those methods include the “expert determination” method to determine if risk of de-identification is small and the “safe harbor” method, which involves removing a long list of identifiers.

“If patient data is properly de-identified it is no longer considered protected health information under HIPAA, and can be shared for research,” notes attorney Stephen Wu of Silicon Valley Law Group. “In this [case] context, I don’t know if Google is a ‘business associate’ under HIPAA.” But if the data has been de-identified, and it’s no longer PHI, then Google would be a vendor but not necessarily a BA in this situation.” Under HIPAA, properly de-identified data can be shared with third-parties that are not business associates, he notes.