A recently filed federal class-action suit claims that several healthcare providers are violating HIPAA’s rules on protected health information (PHI). If the suit succeeds, privacy advocates say it has the potential to disrupt the way the ad targeting industry deals with the healthcare sector.
To really understand what’s going on, you’ll need some background on HIPAA.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
HIPAA Privacy and Authorization
According to HIPAA’s Privacy Rule, covered entities – healthcare providers, insurers, and clearinghouses—require patients to give explicit authorization (as in ‘check box to approve PHI transfer to third-party’ in an online form) for their PHI to be used outside of a few very specific areas (payment, treatment, healthcare operations ).
PHI for marketing purposes definitely requires the covered entity to get authorization.
Hospitals, Patients, and Facebook
Suppose you’re a hospital patient waiting (and waiting) to see your doctor, and browsing the hospital website on your laptop looking for answers to a medical question. And let’s assume the hospital website also has a Facebook plugin that supports “like”.
As an active Facebook user, you are also keeping friends informed of your medical adventure.
Unbeknownst to you, URLs are being sent back to Facebook based on your hospital website browsing. The Facebook cookies on your laptop adds identifier information that lets Facebook then target information to its subscribers.
So as you’re lying in bed looking at friends’ Facebook status updates while dealing with amazing amounts of pain, you might be served up an ad about, say morphine drips, which are based on browsing the pain management section of the hospital website.
Of course, this is a huge part of the way Facebook makes its money. And this is what the suit is alleging took place with the hospitals and healthcare organizations that were named: webpages with Facebook plugins were sending browsing histories back to the FB mothership.
So What’s the Problem?
Another crucial fact: PHI covers more than a name, address, and other obvious identifiers.
While the healthcare organizations in the suit are not sending classic identifiers, they are potentially providing URLs, IP addresses and sub state-level geo data back to FB.
According to HIPAA, these would qualify as PHI — based on the Department of Health and Human Services’ 18 element safe harbor list. And therefore, it would require patient authorization, which the websites did not request from users.
We’ve written previously about the broad definition of identifiable data used by HIPAA. In this case, these providers seemed to have been caught in the PHI’s very wide net.
In short: PHI is being sent from these websites to Facebook without patient permission. A big HIPAA violation.
Legal Questions
As a non-lawyer, this suit does raise an issue or two for me.
If you’re not a patient of a healthcare provider but use the site anyway, are you covered by HIPAA?
One argument I read is that if a hospital is a covered entity in the context of a patient-provider relationship, they’re a covered entity in all contexts, including the more typical user-website relationship.
So it doesn’t matter that you’re not a patient when browsing a hospital website: HIPAA would still apply!
The suit essentially says a hospital website can’t take online user information and send it to an ad network without violating HIPAA. If this claim is proven right, it will have enormous implications for the use of health and possibly non-health data by ad networks.
Facebook is clearly not a covered entity, so what did they do wrong?
The class-action suit says that Facebook violated state laws on health information, and — get this! — the federal Wiretap Act.
There’s a California law, for example, that requires explicit consent for health information to be sent to third parties. And if we use the broad PHI definition of identifiers, then Facebook could have violated that state’s law.
And the Wiretap law may kick in when you collect information over the Intertoobz without authorization. To me, though, this last one seems a bit of a — ahem — legal stretch.
This law suit is being closely watched by privacy pros. We’ll keep you posted if we hear anything new.
Confused by HIPAA? Then take our five-part email HIPAA class. and soar like a legal eagle (or at least be able to answer a few legally related HIPAA questions).
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.