Facebook: New Health Privacy Concerns

Social Media Giant's Healthcare Plans Raise Issues
Facebook: New Health Privacy Concerns

Some privacy experts are expressing concern about a report that social media giant Facebook is planning to enter the healthcare market with health apps and patient "support communities."

See Also: How Enterprise Browsers Enhance Security and Efficiency

Reuters last week reported that Facebook is in the "idea stage" of creating "online support communities" that would connect Facebook users suffering from various ailments and developing new preventive care applications "that would help people improve their lifestyles."

Facebook did not respond to an Information Security Media Group request for more details. But some security and privacy experts say that, based on the social media giant's checkered past with privacy issues, consumers and healthcare providers alike should be wary of using Facebook to share health-related information.

"Facebook has not demonstrated they are trustworthy over the years," says information security and privacy expert Rebecca Herold, a co-owner of the consulting firm HIPAA Compliance Tools and CEO of The Privacy Professor. "Their modus operandi to date has been to experiment with people's information first and then apologize later for their privacy mistakes - and to share people's information with others first, then ask for forgiveness, or to say they will change going forward," she says.

Based on the track records of Facebook and other social media sites, Herold says she isn't optimistic that the company will implement "sufficient or effective privacy and information security controls prior to collecting patient information through these apps, and possibly even share the data widely and inappropriately, putting the patient information at risk."

Michelle De Mooy, deputy director of consumer privacy at the Center for Democracy and Technology, says Facebook needs to make it easy for consumers to choose health data privacy settings. "With health information, the stakes on making sure individuals understand with whom they are sharing their information are a lot higher. The designers need to make sure that these settings are abundantly clear and not overly complicated, and they also need to actively inform users if they change the defaults or add new options."

Consumer Beware

HIPAA compliance attorney Brad Roslotsky, based in the Philadelphia office of global law firm Reed Smith, says that while there is potential value for consumers to use social media to share their medical concerns with other patients experiencing similar health issues, individuals need to be aware when they're "putting their information out there" on the Internet.

Attorney Brad Rostolsky discusses social media privacy concerns.

"Unfortunately, HIPAA is not there necessarily to protect it," he says, because the information would likely be entered onto the social media site by the consumers themselves. "Folks need to be careful with what they're entering" into social media sites, whether it's upcoming Facebook apps or any other Internet-based consumer platforms. Being anonymous in that context is maybe preferable."

Herold explains that there are generally no HIPAA requirements for social media sites and apps developers to protect health information unless those sites and apps are used by covered entities, such as hospitals, clinics or insurers. "The only legal requirements are some that may exist at the state level ... for example Texas has such a law covering health information, or in some countries outside the U.S."

Privacy expert Kate Borten, founder of consulting firm The Marblehead Group, says consumers also need to be concerned about their health information posted on social media sites potentially falling into the wrong hands.

"For people who are comfortable with publicly sharing their personal health information, they may not think through the consequences of revealing personal information that they can't take back," Borten says. "At the most benign level, they may invite targeted advertising or spam. At a more sinister level, they may be targeted for scams or even denied jobs, promotions or insurance. While using personal information that way may be illegal, it can still happen."

Additionally, "Facebook would need to say whether or not they will share protected health information without knowledge or consent of the user - or reserve the right to share it in the terms of service/privacy policy," De Mooy says. "Some users will be unaware that their data is not protected under HIPAA when they willingly share it online and is fair game for third parties like marketers, advertisers. How broadly will information be shared? Will data be shared with other apps - data leakage - in combination with location and other sensitive data?"

HIPAA Liability

If Facebook provides applications designed for use by doctors, clinics, hospitals or health insurance companies, then the social media company could become a business associate directly liable for HIPAA compliance under the HIPAA Omnibus Rule that went into effect last year, Herold says.

"Is Facebook planning to meet all the HIPAA requirements? Can they do this before they get their apps released and widely used? Are they going to have all their subcontracted entities - for example probably the app developers complete a BA agreement prior to this, and ensure they also have appropriate security and privacy programs in place?" Herold asks.

When it comes to third-party health-related apps that potentially could be built for Facebook, Herold says there are "very few standards for the developers to follow, much less any comprehensive security or privacy standards. They are very risky to use whenever personal information of any kind is involved."

If healthcare covered entities and their business associates use a social media app, such as one from Facebook, that results in a privacy breach, or that results in other HIPAA non-compliance, "the CEs and BAs will ultimately pay the price - in legal fees, fines/penalties, bad publicity and potentially other types of legal actions," she says.

Herold suggests that covered entities and business associates need to ensure a risk assessment and HIPAA compliance assessment has been completed on any app they want to use to support the provisioning of healthcare services. "If they don't, then they are not doing their due diligence. If they do, and find significant problems that Facebook or the app developer cannot quickly address, then they should not use the app."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.