That same year, Google entered into a data-mining partnership with the University of Chicago Medical Center that is now being challenged in court. This past June, a patient sued UCMC and Google, alleging that his and thousands of other patients’ electronic medical records were given to Google without having been stripped of time and date stamps.
Google and UCMC have both denied the allegations. If true, they would be a clear violation of HIPAA. But the lawsuit wasn’t actually brought under HIPAA. Instead, it alleges deceptive and unfair business practices under Illinois’ consumer protection law, as well as violations of common-law privacy rights. The complaint describes how Google could, in theory, completely legally receive de-identified medical records and then combine them with its vast stores of data about how people behave online—including geolocation, search queries, and social media posts—to re-identify individuals.
“Up until recently the current mode of thinking has been that if these records have no name, no address, then nothing bad can happen, and I just don’t think that’s true anymore,” says Michelle Mello, a health law expert at Stanford who has written about the Google/UCMC case. She points out HIPAA was enacted in 1996, before Google existed and when the US’s 20 million internet users browsed only about 30 minutes each day. What tech companies can do with de-identified data exposes gaps in data privacy that grow wider with every Google search and Facebook post, she says.
“Even when they’ve been responsibly transmitted, once these data are out there, they’re no longer in the custody of companies bound by regulations of any kind, and we don’t know what linkages might be performed and where these data might ultimately end up,” she says. “There’s a lot you can do with people’s data without violating any promises to them.”
In light of these kinds of concerns, Mayo Clinic officials say they have been careful about how they’ve structured the Google partnership. Google will be contractually prohibited from combining Mayo clinical data with any other datasets, according to a hospital spokesperson. That means that whatever data Google has about a person through its consumer-facing services, such as Gmail, Google Maps and YouTube, can’t be combined with caches of scrubbed Mayo medical records. To ensure this, the hospital will only make de-identified data accessible to Google inside the Mayo-controlled private cloud, where it has the ability to monitor any activity.
Gostin says this should reassure patients to some extent, but is by no means a guarantee of privacy. “Holding Google to their privacy commitments is hard and it would need Mayo to intervene judicially,” he says. Patients likely wouldn’t have their own legal recourse if the agreement were not honored. “The real solution is national legislation mandating better privacy in multiple spheres,” he says. “Including data and cloud-based services, social media, and the internet.”
While not yet competing with climate change, gun control, Russian election interference and other world-burning political priorities at present, Mello believes this kind of change is inevitable. “The pace this technology is moving is out of step with the public’s expectations about privacy,” she says. “So I think we’ll soon start seeing a demand for formal regulations.” On the issue of regulation, Google declined to comment.
Standards of practice can and do change, as new technologies come along and societal values shift. During Plummer’s time and for many years after, Mayo doctors could dig through any patient’s records in the name of science. Then HIPAA and other human subject regulations came along. And pioneers like Mayo found different ways to use their data to advance medical research. New laws, fit for the privacy needs of the current moment, need not halt progress. If anything they might inspire innovation.