Facebook + health data = all sorts of HIPAA questions

“Time’s Person of the Year is Mark Zuckerberg. Sorry, Julian Assange, I guess you didn’t violate enough people’s privacy.” — Stephen Colbert, Dec. 15, 2010.

Yes, Facebook has issues with privacy. Just Monday, the Electronic Privacy Information Center, the Center for Digital Democracy, Consumer Watchdog and the Privacy Rights Clearinghouse formally asked the Federal Trade Commission to stop Facebook from launching a facial-recognition feature. Last week, European regulators said they would investigate Facebook after it came out that Facebook’s 500 million to 700 million users were automatically opted in to facial recognition.

And now we hear that Microsoft is adding Facebook authentication to its HealthVault health information platform.

Let me repeat: You can now sign in via Facebook to a HealthVault personal health record.

Though I’m not a lawyer, I’m wondering if Microsoft might not be treading in some dangerous territory. What if it’s possible to link HealthVault updates to Facebook so your entire social network knows that you just got a lab test result back? What if the Facebook location tagger indicates that you’ve just visited an STD clinic? Yeah, sometimes discretion is in order, and Facebook generally isn’t the place to be discreet.

According to Healthcare IT News’ MobileHealthWatch blog, Microsoft’s Sean Nolan was practically giddy about this arrangement helping HealthVault go mobile. I think mobility will help make PHRs a bit more attractive to patients, but I still think PHRs are DOA if they don’t link to EHRs.

I just don’t see a lot of medical practices being willing to send electronic data back and forth to HealthVault accounts if Facebook is handling the security, making MobileHealthWatch’s claim that, in wake of the supposed demise or at least de-emphasis of Google Health, HealthVault is now “more or less unchallenged as the PHR of record” a joke. There’s no such thing as a PHR of record, and there won’t be as long as authentication passes through Facebook.