The Health Insurance Portability and Accountability Act (HIPAA) is an American federal statute that stipulates how private patient information should be protected against fraud, theft, and abuse. Passed in 1996, it establishes safeguards that health care providers and others must establish in order to protect the privacy of patients’ medical data. The statute also outlines numerous offenses relating to the security of patient information, and establishes civil and criminal penalties for any violations.
While one might think that U.S. doctors, pharmacies, hospitals, insurers, medical service providers, and healthcare/wellness facilities are the primary entities that could potentially leak, share, or exploit private patient data, the truth is that the most audacious HIPAA violations are being perpetrated every day by Facebook and Google.
My outrage about this matter isn’t an attempt to jump on the Big Tech-scolding bandwagon with no actual skin in the game: it’s based on an event in which I personally experienced an alarming HIPAA violation that was the result of the geo-tracking of my location by Google.
Last year, I accompanied my wife to a hospital in St. Louis, where she was scheduled to have a breast biopsy. As I sat in the waiting room, a series of ads appeared on my phone for the Mayo Clinic Cancer Center as well as Cancer Treatment Centers of America.
I hadn’t searched for cancer-related products or services, used Google Maps to get to the hospital, or visited sites that featured cancer-related content. The ads that I received were solely based on my geo-tracked location, which was detected by Google Maps. The geo-tracking was utilized in the serving of “relevant” commercial offers that – in the algorithm’s infinite wisdom – were consistent with my presence in the hospital’s oncology wing.
Although I didn’t have a similar ad serving experience using Facebook, the platform is also notorious for its intrusive HIPAA violations. For instance, if you visit the website of a hospital or specialized health services provider that has a Facebook plugin, your browsing history will be transmitted back to Facebook. The Facebook cookies on your device will then add identifier data – including personal health information (PHI) such as URLs, IP addresses, and sub state-level geo data – to target you with ads that are based on the pages that you visited.
It’s not surprising that there isn’t any specific language in the Terms of Service for Google or Facebook that delineates how they protect their users’ private medical/healthcare data. Perhaps the companies believe that since their users already share lots of personal information about themselves, the majority of them won’t care if they’re served with ads that, while unauthorized, may be in sync with their health and wellness concerns.
Even if this rationalization is accurate (it might be) and even if these ads are extremely profitable to Google and Facebook (they are, and they’re worth billions), the fact that this private information is being monetized is – as per HIPAA stipulations – 100% against the law.
One reason why Google and Facebook are able to easily skirt around HIPAA rules is because the 1996 law doesn’t cover social media networks. Another reason is that HIPAA doesn’t address data brokers, which provide comprehensive user information to online outlets (including social media networks). This info helps to sharpen the relevance of online ads that are served based on user activity. According to the Washington Post, data brokers influence the medical and pharma ads that pop up on Facebook by collecting and sorting users’ “medical information like prescriptions, insurance claims and even electronic health records… as well as other personal details.”
An additional impediment that prevents Google and Facebook from complying with HIPAA is their refusal to sign a Business Associate Agreement (BAA). As per the HIPAA Security Rule, a BAA establishes “national standards to protect individuals’ electronic PHI that is created, received, used, or maintained by a covered entity.” All medical services providers, medical insurers, and health care clearinghouses must sign a BAA in order to lawfully conduct business. But because social networks weren’t a consideration when HIPAA was last updated in 2003, Google and Facebook have been conveniently able to ignore the law.
Given the vast wealth, political influence, and market power of Google and Facebook, it would take significant resources (and fortitude from Congress) to protect users’ private medical/health data. However, four straightforward solutions are available, including:
Google must agree to disengage all tracking of their users’ locations and online activities within 300 feet of a healthcare facility, provider, or health-related business.
Facebook must agree to refrain from serving ads to its users based on their browsing histories at health services and medical providers.
HIPAA must be updated by Congress to include social media networks and data brokers.
Google and Facebook must sign BAAs in order to protect and secure their users’ private patient health information.
If the above recommendations aren’t acceptable, Google and Facebook should take note of HIPAA’s penalties for their repeated, ubiquitous, and deliberate transgressions. Their civil offenses would be categorized as Tier 4, which covers “a violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.” The penalty for a Tier 4 HIPAA breach is $50,000 per violation.
For criminal punishments, Tier 3 might be applicable to their executives, or at least their very busy pharma-dedicated sales departments: it covers parties who are guilty of “obtaining [private health information]… with malicious intent,” and has a penalty of up to 10 years in jail. Whether “malicious intent” includes the misuse of private health information for commercial gain is for the courts to decide.
HIPAA’s civil and criminal penalties have been successfully administered by both the U.S. Department of Health and Human Services’ Office for Civil Rights and state attorneys general, but they haven’t yet been targeted at Google or Facebook. Given their many millions of daily HIPAA violations, the two companies’ civil penalties tab would be massive if enforced. Such financial pain would likely inspire a policy change to secure their users’ private health and medical information. If not, the HIPAA threat of criminal jail time would hopefully motivate them to pursue more responsible, ethical, and legal (albeit less profitable) behavior.