A lawsuit filed in California on March 15 accuses Facebook, along with a number of high profile healthcare systems and websites, of violating HIPAA and users’ privacy. Initially, this seemed ridiculous, but on reviewing the complaint, there are some interesting and unexpected conclusions to be found.
What did Facebook (allegedly) do?
It turns out when you put Facebook’s “Like” button on a page on your website, it acts like an analytics tracking code – communicating information about the page you’re visiting to Facebook. This information is not just available to Facebook when you click that “Like” button, but as soon as it’s loaded on the page! Facebook is able to connect this information with your profile through a variety of mechanisms and uses it to profile you into some of its 154 health-related segments.
There are a few things the Plaintiffs see wrong with this arrangement.
For starters, Facebook doesn’t reveal that by placing a “Like” button on your webpage you’re sharing certain information with the company, nor does it reveal what information is shared or how that information is used. Further, by combining this health-related information with an identified individual, they argue this information becomes Protected Health Information (PHI) under HIPAA.
What did the hospitals and websites (allegedly) do?
The class action lawsuit specifies “Cancer.org, Cancer.net, Melanoma.org, ShawneeMission.org, BarnesJewish.org, ClevelandClinic.org, MDAnderson.org, and other health care and hospital websites”, claiming they’ve violated patients’ privacy by sharing this data with Facebook.
Although the complaint does debate if the owners of these websites were aware this information was being shared. Facebook is less than forthcoming with information about what information is shared by simply placing its “Like” button on a page. This fact may help the named organizations, but it’s by no means any guarantee of protection.
Of course we want to do right by our visitors as well as to protect our organizations and ourselves. How can that happen?
We need a better definition of PHI
The definition for PHI seems straightforward: Information held by a covered entity and stored electronically is personally identifiable and tells us something about that individual’s health. This case reveals the flaws in that definition. Does a user’s browser history tell us something about their health? Maybe, but we search for health information not only for ourselves, but also the medical situations experienced by friends, family members or even celebrities. What degree of certainty is needed to qualify as PHI?
And that’s only one area of confusion. The browsing history and individual identification aren’t being assembled by the covered entity (and some of these organizations aren’t covered entities, so HIPAA certainly doesn’t apply). Is it PHI if it’s being assembled by Facebook, which isn’t typically covered by HIPAA?
For this reason, I hope the lawsuit proceeds, and we get a ruling which might clarify some of these issues.
Is privacy being violated?
I’ve spoken with a number of health law experts in the past around these questions to understand issues like remarketing. The consistent message I received was: this is the way the internet works. If consumers don’t want to participate in the normal behavior of the internet, they need to take action to prevent it through heightened security options in their browser, ad blockers, anonymous/incognito browsing modes or simply not using the internet.
Numerous articles have been written about the death of privacy. The complaint references the many ways websites can track visitors from one session to another, but ignores obvious ways internet users are compromising their privacy. For example, links to the sites in question within the complaint aren’t encrypted (using HTTP rather than HTTPS) so the very information they’re so concerned about is bouncing around the internet in a way any random stranger might see! Similar information is also captured by Google through Google Analytics tracking code, Google Chrome and numerous browser add-ins (although it’s not clear when it’s being used for marketing targeting).
But there is a problem.
Your privacy policy is aspirational but not defensible
The complaint makes one statement over and over again: “Broken promises at YOUR SITE HERE”.
Your privacy policy gets almost no traffic, but it still represents a promise you’re making to visitors about what data you’re collecting and sharing as well as how that information is being used.
Most privacy policies attempt to present a minimalist view of how browsing information is being stored and used. We want this to be true, but it’s difficult to guarantee.
What should my organization do?
Certainly, this is a call to review the privacy policy on your website, but it seems prudent to include a pragmatic disclaimer like the following:
“Other information about your visit may be captured by your browser, browser add-ons, other software running on your computer or other device, by your employer, the various Internet Service Providers (ISP) and other network services used to access this site and by third party components in use on this site with or without our direct knowledge and permission.”
And keep in mind – I’m not a lawyer, so this is a great time to get their thoughts on these issues. The complex nature of tracking, websites and marketing today requires our organizations to be thoughtful and careful with visitor privacy.
If nothing else, this is a reminder to always consider patient privacy when creating a new feature or marketing campaign for healthcare consumers.