Priority Privacy Update: Social Media and the Erosion of Medical Privacy
In the past, protecting one’s privacy was as simple as closing the blinds at night and keeping personal documents in a secure location. Advances in technology and the proliferation of online commerce have both complicated and eroded our expectations of anonymity and privacy. Regulators and lawmakers are just starting to grasp the extent to which our actions and movements are now being tracked across multiple platforms and devices. A report prepared for Congress found that a significant amount of personal data (such as name, age, and address) is transmitted to third parties without the user’s knowledge or consent. A 2018 study revealed that approximately one million mobile apps send data to an average of 10 third parties. Additionally, the top one million websites share data with an average of 34 third parties through the use of trackers, cookies, and similar technologies. It is no surprise that Google and Facebook are the top aggregators of third-party data. Facebook trackers were found in 42% of all apps, while Google trackers were present on 88% of apps on the Google Play Store, and Google Analytics was found on 75% of the top 100,000 websites.
Healthcare stakeholders are becoming increasingly worried about the potential for data exchanges to compromise existing legal protections for personal medical information under federal laws, such as HIPAA, and state health privacy laws, such as the California Consumer Protection Act (CCPA), and its recent amendment, the California Privacy Rights Act (CPRA), which inspired similar statutes in other states. The new CPRA requires not only that companies disclose sales of client data, but also exchanges and data sharing. The implications are significant because the sharing of health data with third parties frequently occurs as a byproduct of marketing departments seeking to evaluate and improve their advertising campaigns. A recent investigation by TheMarkup and STAT found that 33 of the top 100 American hospitals had an embedded “Meta Pixel” tracker that sent a data packet to Facebook every time a patient clicked a button to schedule an appointment. Only seven hospitals removed the pixels after being contacted by TheMarkup. To protect patient privacy, some healthcare companies may employ techniques such as scrambling identifying data (“hashing”) and/or inserting a string of random characters to obscure a user’s identity (“salting”), but these efforts may be actively undermined by tech companies using algorithms that can work through de-identified data seeking to learn as much as possible about individual users.
Facebook has actually admitted that it attempts to link hashed data to specific user profiles, thereby undermining the efforts to protect privacy. Facebook is not a healthcare provider and is not a “business associate” furnishing non-clinical support services to providers, so the vast amount of medical information it collects may not be subject to HIPAA’s patient identity protections. Indeed the Markup/STAT investigation found that many telehealth companies were sending sensitive health information to tech companies. For patients, this information may include all kinds of information that would preferably be kept private, from a recently prescribed medication that would reveal a health condition, past or current substance abuse, existing behavioral treatments, an aborted pregnancy, or details about sexual health. Apart from reducing privacy, the implications of such information being available could potentially extend to limitations on access to life or disability insurance, along with other negative implications for consumers.
Efforts are underway to hold Facebook accountable for its actions involving personal medical data. In June, a class-action lawsuit was filed against Facebook, alleging privacy intrusions and behaviors that are akin to wiretapping prohibited under state and federal laws. This lawsuit will be closely followed not only by privacy advocates, but also by healthcare industry stakeholders. As privacy regulations continue to evolve, the focus on ways in which marketing and technology are working to reduce privacy are likely to receive more and more attention. Healthcare companies should consider whether their data handling and usage raises concerns with respect to healthcare privacy and data security.
Harry Nelson, Managing Partner, Nelson Hardiman
Yehuda Hausman, Law Clerk, Nelson Hardiman
Nelson Hardiman LLP
Healthcare Law for Tomorrow
Nelson Hardiman regularly advises clients on new healthcare law and compliance. We offer legal services to businesses at every point in the commercial stream of medicine, healthcare, and the life sciences. For more information, please contact us.