Do Tech Giants Violate HIPAA by Tracking Trends?

Original story posted on: September 16, 2020

The Social Dilemma of Health (SDoH).

In March 2018, the world was shocked when it became public knowledge that Cambridge Analytica, a company based in the United Kingdom, had used data from Facebook to impact the presidential election in the United States. It turned out that they had also provided data to the groups supporting Brexit in the U.K.

It should not be a surprise that Facebook had shared data on its users for profit. Facebook said they allowed some access to Cambridge Analytica, but the company had used survey questions to hack into Facebook data, in a manner not intended by Facebook. I am dubious about this claim. The old saying in technology is that if the product is free, then the user is the product. 

The business models of Facebook, Twitter, Instagram, and TikTok are similar in that the service to users is free. Companies that wish to advertise on these platforms get the benefit of placing the user’s eyeballs on screens where advertisements are seen. 

First, advertisers get access to the age, race, sex, and lots of other demographic information on the people that click on the advertisers’ “landing pages” from the social media platform. This is the information companies get when you simply access their site. 

Media companies like Facebook also know what social groups you joined and, critically, with whom you are connected. They create user “profiles” with various amounts of sensitive data. 

In the case of Cambridge Analytica, they obtained 87 million Facebook user profiles. Included with these profiles were Facebook pages each user “liked.” Also included in the profiles were the user’s date of birth and location.     

In the case of Google, in exchange for answering users’ Internet searches, the company has information not just on what was searched for, but in many cases, on every location users have been, sometime for years.

Let’s go back to our first observation about social media companies. Users are the product. While Facebook apologized for the Cambridge Analytica breach, what they didn’t say was that they had stopped collecting and selling this data in some fashion.    

In the case of healthcare, I ask the question: does having data, even if it is saved in grouped data, violate the Health Insurance Portability and Accountability Act (HIPAA)? If the manufacturer of a drug used to treat hemophilia knows the number of people searching for its drug by ZIP code, directly or indirectly, does this violate at least the spirit of HIPAA? 

I understand that Facebook and Google hope you believe that they do not maintain data at an individual level. They say that the data they sell to advertisers excludes individual data. I would argue that by simply reviewing enough of the data they sell, advertisers could match data to individuals. This is how collection companies perform “skip tracing:” finding people to collect unpaid accounts. 

I think it is time to look at how much data technology companies have that may constitute a violation of HIPAA. I also think it is time not to consider just individual data, but how data summarized into grouped data may violate HIPAA.  

Timothy Powell, CPA CHCP

Timothy Powell is a nationally recognized expert on regulatory matters, including the False Claims Act, Zone Program Integrity Contractor (ZPIC) audits, and U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) compliance. He is a member of the RACmonitor editorial board and a national correspondent for Monitor Mondays.

This email address is being protected from spambots. You need JavaScript enabled to view it.

Related Articles

  • The Impact of COVID on the Social Determinants of Health
    Food insecurity is on the rise. Amid the perils of the continuing COVID-19 pandemic are now growing concerns about food shortages around the country. Since COVID began, the U.S. Census has been tracking the impact of the associated economic crisis…
  • COVID and the SDoH
    New study reinforces SDoH impact Focus on the social determinants of health (SDoH) continues to intensify nationwide, and that means potentially higher costs of care for healthcare organizations. The recent study by NPR, the Robert Wood Johnson Foundation, and the…
  • Health Literacy, COVID, and the SDoH  
    Over the course of the continuing COVID-19 pandemic, one topic has mysteriously fallen under the radar. It’s something that greatly impacts health outcomes, and especially virus transmission rates. The Joint Commission identified this issue in 2008 as among the most…