Doctor Led Secret Facebook Project To Convince Hospitals To Share Patient Data

By Amy Blitchock

There is yet another breaking story about how Facebook collects, shares and uses data and this time it has to do with medical information. It has recently come to light that the social media giant has been in talks with several hospitals to launch a research project that would look at the intersections between medical conditions and treatments and social behavior. Of course, this would require both hospitals and Facebook to share patient and user information. 

In light of the Cambridge Analytica scandal, where the private data of around 87 million users was improperly used in efforts to send targeted political ads in the run-up to the 2016 election, the medical data sharing program has been put on hold. While everyone close to the project has been quick to point out that all of the data would be anonymized so that a patient’s profile wouldn’t contain any identifying details, such as name and birthdate, it has become clear that Facebook is not in a position to adequately protect user information.

While the project may have begun with good intentions, public confidence in Facebook and their ability to offer effective privacy protections and safeguard user data is low. The original idea was to use what healthcare providers know about patients, including medical conditions, prescriptions, and age, and combine it with what Facebook knows about its users, including primary language, social engagement and interests, to create a more comprehensive patient profile that could improve care. For instance, those who are frequently visiting the doctor could benefit from a larger and more engaged social circle.

Does Sharing Anonymous Data Violate HIPAA?

Facebook was actively pitching the idea to hospitals, but the project was still in the initial planning phases. Now that it has indefinitely been put on hold, there is time to examine the legality and viability of such a project. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and designed to protect the medical information of patients and ensure that it couldn’t be used against them or end up in the wrong hands. The big question is whether a program, like the one proposed by Facebook, would be in violation of these legal protections.

Technically, HIPAA allows for de-identified information to be freely shared without restrictions. Facebook proposed removing identifying information through a common practice known as hashing, which in accordance with HIPAA’s standards for making personal information anonymous. That means that there aren’t any current laws that would require user consent to participate in the project or bar it from going forward.

That doesn’t mean that this type of data sharing doesn’t raise some real concerns. While the project is now garnering attention, there is a real possibility that it could have been launched without much notice and users would have been participating without any knowledge or consent. Perhaps most importantly, we are continuing to discover just how difficult it is to effectively protect data and how little Facebook has done to prevent third parties from using data for various purposes.

The Role of Healthcare Providers in Protecting Patient Data

One of the main duties of any healthcare provider is to protect patient information, which is part of why this project has raised so many concerns. While it might not be surprising that Facebook would be trying to leverage user data for new purposes, it does come as more of a shock that renowned hospitals would be willing to participate. There is no denying that mental and social health can be an important part of comprehensive healthcare and better patient outcomes, but it is highly questionable whether mining big data is the way to achieve these goals. 

There may be some real benefits to a project of this type, but hospitals and healthcare providers need to carefully weigh the risks and benefits and consider whether it creates a fundamental conflict of interest when it comes to protecting patient information. At this point, there isn’t a social network out there that is capable of providing the level of security necessary to protect sensitive patient information.

It is also important to consider that hackers are constantly looking for new ways around security measures, so making information more vulnerable will only intensify that cat and mouse game that is already an inherent part of cybersecurity. If history has shown us anything, it is only a matter of time before a breach occurs. Is that something that both hospitals and patients are willing to accept in the name of trying to provide better care?