Social Media Leaves HIPAA Irrelevant

by Mendel Zilberberg

In light of the recent recognition that on an almost global basis people’s private information is virtually an open book, one can only wonder if the protection of PHI, (Personal Health Information) that HIPAA meant to protect, is illusory. To the extent that emails and other communications meant for designated recipients are analyzed, scraped, aggregated and stored it is in the opinion of this author that the protection of PHI is illusory. Furthermore, internet search history is also used to develop profiles of an unsuspecting public. The fact that Facebook monitors internet activity even when the subscriber is logged off is enough to validate the fear that internet and social media users are subject to a level of privacy intrusion that most of us think is unimaginable.

Health providers – covered entities and their downstream counterparts dealing with PHI – must jump through regulatory hoops regarding the storage of and limitations on the dissemination of information. Apparently, to a large extent this information is already in the hands of numerous social media outlets without any legal restrictions on the aggregation, storage or dissemination of the information which most certainly contains at least part of the medical information that HIPAA and HITECH control.

The sad truth is that the scale and scope of data that is aggregated by various social media portals is staggering. It is reasonable that included in the information available for purchase and information that has been scraped and available to anyone willing to pay is medical related information. In light of this, one can only wonder why the medical profession is being subject to the rigors of HIPAA to protect patients’ information when there apparently is a door wide enough through which to drive a truck.

Without harping on the Facebook issue, there are five points I would like to make.

  1. The Facebook issue underscores the fact that the most sensitive personal data is aggregated by entities, generally classified as social media outlets, and those outlets are not subject to the legal protection that PHI enjoys under HIPAA.
  2. The aggregators have shared this data with marketers, advertisers and researchers without any idea how or the extent to which the information would be used.
  3. Listening to the Senate interview of Mark Zuckerberg, it is apparent that the government is only now, in 2018, taking a stab at understanding how and to what extent this information was available.
  4. As opposed to HIPAA, which started with legislation, the only formalized requirement for privacy before HIPAA was possibly the Hippocratic Oath; on the other hand, social media giants are being asked to develop protocols, which at best, they will self-govern. Only if they fail will the government intervene.
  5. In response to the massive data issue at Facebook, social media companies are primarily being questioned about how they share their data, but the predicate question about the aggregation of data and how it is stored or protected is not even being questioned.

Why? The answer that seems to be forthcoming is that we do not want to stifle development, social media is free, and the social media portals must have a revenue source. When the mention of fees for use is brought to the table, however, it is viewed as a nonstarter. My question is why? Maybe there should be nominal fees for communication like telephone once was and disallowing the aggregation of data, so that when someone goes on a social media site, they will only transmit data to those people that they choose to, and no data will be aggregated.

Bottom line.

Why are doctors or covered entities and their downstream conterparts subject to the protocols, costs, statutes, and staggering fines when a good part of the information is apparently in the seemingly unrestricted hands of social media companies as aggregated data?

Imagine a medical provider offering the excuses/apologies offered by Mark Zuckerberg and how well they would go over with the government in the event of a HIPAA breach!

“I apologize for any harm done,” November 2003 after closing FaceMash.

“This was a big mistake on our part and I’m sorry for it,” September 2006 on News Feed feature.

“I ask for forgiveness and I will work to do better,” September 2017, on election interference on Facebook.

”This was a breach of trust and I’m sorry,” March 25, 2018 newspaper ads apologizing for Cambridge Analytica data breach.

“It was my mistake, and I’m sorry,” April 10 testimony to Congress.

It seems that doctors and the medical community as a whole are the group that the government “loves to hate.”

Examples of this treatment of the medical profession are HIPAA, the default position that doctors are suspected of improper referrals, and how the opioid crisis seems to be laid at the feet of doctors and pharmacy companies.

With the large number of doctors practicing, there may be some bad apples, but why as a whole are people who have dedicated their lives to helping others, who have made great financial sacrifice to put themselves through school, and are members of an honorable profession treated as guilty until proven innocent?

What do you think?


About Mendel Zilberberg:

An attorney, visionary and entrepreneur admitted to practice in New York, New Jersey and Florida who has represented and counseled clients with nationwide interests in many areas of the healthcare arena.