Do Tech Giants Violate HIPAA by Tracking Trends?

The Social Dilemma of Health (SDoH).

In March 2018, the world was shocked when it became public knowledge that Cambridge Analytica, a company based in the United Kingdom, had used data from Facebook to impact the presidential election in the United States. It turned out that they had also provided data to the groups supporting Brexit in the U.K.

It should not be a surprise that Facebook had shared data on its users for profit. Facebook said they allowed some access to Cambridge Analytica, but the company had used survey questions to hack into Facebook data, in a manner not intended by Facebook. I am dubious about this claim. The old saying in technology is that if the product is free, then the user is the product. 

The business models of Facebook, Twitter, Instagram, and TikTok are similar in that the service to users is free. Companies that wish to advertise on these platforms get the benefit of placing the user’s eyeballs on screens where advertisements are seen. 

First, advertisers get access to the age, race, sex, and lots of other demographic information on the people that click on the advertisers’ “landing pages” from the social media platform. This is the information companies get when you simply access their site. 

Media companies like Facebook also know what social groups you joined and, critically, with whom you are connected. They create user “profiles” with various amounts of sensitive data. 

In the case of Cambridge Analytica, they obtained 87 million Facebook user profiles. Included with these profiles were Facebook pages each user “liked.” Also included in the profiles were the user’s date of birth and location.     

In the case of Google, in exchange for answering users’ Internet searches, the company has information not just on what was searched for, but in many cases, on every location users have been, sometime for years.

Let’s go back to our first observation about social media companies. Users are the product. While Facebook apologized for the Cambridge Analytica breach, what they didn’t say was that they had stopped collecting and selling this data in some fashion.    

In the case of healthcare, I ask the question: does having data, even if it is saved in grouped data, violate the Health Insurance Portability and Accountability Act (HIPAA)? If the manufacturer of a drug used to treat hemophilia knows the number of people searching for its drug by ZIP code, directly or indirectly, does this violate at least the spirit of HIPAA? 

I understand that Facebook and Google hope you believe that they do not maintain data at an individual level. They say that the data they sell to advertisers excludes individual data. I would argue that by simply reviewing enough of the data they sell, advertisers could match data to individuals. This is how collection companies perform “skip tracing:” finding people to collect unpaid accounts. 

I think it is time to look at how much data technology companies have that may constitute a violation of HIPAA. I also think it is time not to consider just individual data, but how data summarized into grouped data may violate HIPAA.  

Print Friendly, PDF & Email
Facebook
Twitter
LinkedIn

You May Also Like

Leave a Reply

Please log in to your account to comment on this article.

Subscribe

Subscribe to receive our News, Insights, and Compliance Question of the Week articles delivered right to your inbox.

Resources You May Like

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

SPRING INTO SAVINGS! Get 21% OFF during our exclusive two-day sale starting 3/21/2024. Use SPRING24 at checkout to claim this offer. Click here to learn more →