Facebook is collecting your health information. Should you care?
Facebook is bad for your health!
A report published this week by the website Newsbusters revealed some disturbing information about Facebook. The news organization ran a battery of tests against 100 US hospitals and discovered a third of them were using tools provided by Facebook (META) to facilitate online scheduling. What they discovered was anyone submitting information through these online scheduling processes had their information – reporting conditions and all – ported to Facebook. Needless to say, this information is extremely valuable to third parties, and that’s the business that Facebook is in – selling your freely provided (apparently knowingly or unknowingly) to others.
To be fair, Facebook responded to the findings by citing their privacy policy that states any “potentially sensitive health information” sent to them by websites using some of Meta’s tools is identified and scrubbed and not retained by Facebook servers. Move along, nothing to see here, we can trust them, right?
We did our own test and identified at least one of the hospitals in the study uses EPIC’s MyChart as their EHR. While we can’t directly connect their online scheduling process to EPIC, it does beg the question if EPIC itself is utilizing Meta tools for some of its online scheduling features.
But the problem extends beyond Facebook. The issue is Facebook is NOT bound by HIPAA. HIPAA pertains to Covered Entities (those who bill for care through Medicare), and their Business Associates. Many peripheral players who gain access to our health information simply do not fall under the jurisdiction of HIPAA, and that’s a problem. Once again, we’re advocating for broader coverage of HIPAA to prevent these ancillary organizations from leveraging your health information without restriction.
In this particular case, we would hold the offending hospitals responsible for both the inappropriate release of Protected Health Information and the lack of a Business Associate Agreement with Facebook, assuming one does not exist.
Sadly, events like this are a blip on the radar and we rarely see further enforcement when companies like Facebook, Google, and others are involved. It’s really up to us to take the lessons learned and act accordingly. The lesson here is to be very skeptical of the health information you enter online, and to be as vague as possible with the details of your presenting condition.
As always, we’re here to help your organization protect your patient data and keep you more cybersecure. Let us save you time and money.