Facebook + health data = all sorts of HIPAA questions
“Time’s Person of the Year is Mark Zuckerberg. Sorry, Julian Assange, I guess you didn’t violate enough people’s privacy.” — Stephen Colbert, Dec. 15, 2010.
Yes, Facebook has issues with privacy. Just Monday, the Electronic Privacy Information Center, the Center for Digital Democracy, Consumer Watchdog and the Privacy Rights Clearinghouse formally asked the Federal Trade Commission to stop Facebook from launching a facial-recognition feature. Last week, European regulators said they would investigate Facebook after it came out that Facebook’s 500 million to 700 million users were automatically opted in to facial recognition.
And now we hear that Microsoft is adding Facebook authentication to its HealthVault health information platform.
Let me repeat: You can now sign in via Facebook to a HealthVault personal health record.
Though I’m not a lawyer, I’m wondering if Microsoft might not be treading in some dangerous territory. What if it’s possible to link HealthVault updates to Facebook so your entire social network knows that you just got a lab test result back? What if the Facebook location tagger indicates that you’ve just visited an STD clinic? Yeah, sometimes discretion is in order, and Facebook generally isn’t the place to be discreet.
According to Healthcare IT News’ MobileHealthWatch blog, Microsoft’s Sean Nolan was practically giddy about this arrangement helping HealthVault go mobile. I think mobility will help make PHRs a bit more attractive to patients, but I still think PHRs are DOA if they don’t link to EHRs.
I just don’t see a lot of medical practices being willing to send electronic data back and forth to HealthVault accounts if Facebook is handling the security, making MobileHealthWatch’s claim that, in wake of the supposed demise or at least de-emphasis of Google Health, HealthVault is now “more or less unchallenged as the PHR of record” a joke. There’s no such thing as a PHR of record, and there won’t be as long as authentication passes through Facebook.
Neil,
Great post as always. One point though that I want to make sure is clear is relative to authentication and authorization.
HealthVault is using FaceBook as an identity provider for authentication. This would not authorize HealthVault or FaceBook to share information, other than the profile attached to the identity. Typically (i.e. OpenID process) the user defines their profile (what is shared, like name or alias, etc.) or multiple profiles and that is what is shared. HealthVault would not have access to post to FaceBook and FaceBook would not have access to post into HealthVault. That “access” is called authorization, which is a separate process (i.e. OAuth).
Depending on how FaceBook creates profiles for OpenID, the risk is that FaceBook would share some identifying information to HealthVault (that info should be known to the User). Other than that, I do not see further privacy risk at this time.
Best,
Steven
Thanks for your insight, Dr. Waldren. I hope the public and the physician community figure out those nuances.
That post was a fun read and thank you Dr.Waldren for the additional insight. It is interesting to see how the healthcare industry is utilizing social media and other communication technologies to improve the industry overall.