Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Is Browsing Facebook While in the Hospital a HIPAA Violation?

A recently filed federal class-action suit claims that several healthcare providers are violating HIPAA’s rules on protected health information (PHI). If the suit succeeds, privacy advocates say it has the potential...
Michael Buckbee
2 min read
Published July 19, 2016
Last updated March 10, 2023

A recently filed federal class-action suit claims that several healthcare providers are violating HIPAA’s rules on protected health information (PHI). If the suit succeeds, privacy advocates say it has the potential to disrupt the way the ad targeting industry deals with the healthcare sector.

To really understand what’s going on, you’ll need some background on HIPAA.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

 

HIPAA Privacy and Authorization

According to HIPAA’s Privacy Rule, covered entities – healthcare providers, insurers, and clearinghouses—require patients to give explicit authorization (as in ‘check box to approve PHI transfer to third-party’ in an online form) for their PHI to be used outside of a few very specific areas (payment, treatment, healthcare operations ).

PHI for marketing purposes definitely requires the covered entity to get authorization.

Hospitals, Patients, and Facebook

Suppose you’re a hospital patient waiting (and waiting) to see your doctor, and browsing the hospital website on your laptop looking for answers to a medical question. And let’s assume the hospital website also has a Facebook plugin that supports “like”.

As an active Facebook user, you are also keeping friends informed of your medical adventure.

Unbeknownst to you, URLs are being sent back to Facebook based on your hospital website browsing. The Facebook cookies on your laptop adds identifier information that lets Facebook then target information to its subscribers.

So as you’re lying in bed looking at friends’ Facebook status updates while dealing with amazing amounts of pain, you might be served up an ad about, say morphine drips, which are based on browsing the pain management section of the hospital website.

Of course, this is a huge part of the way Facebook makes its money. And this is what the suit is alleging took place with the hospitals and healthcare organizations that were named: webpages with Facebook plugins were sending browsing histories back to the FB mothership.

So What’s the Problem?

Another crucial fact: PHI covers more than a name, address, and other obvious identifiers.

While the healthcare organizations  in the suit are not sending classic identifiers, they are potentially providing URLs, IP addresses and sub state-level geo data back to FB.

According to HIPAA, these would qualify as PHI — based on the Department of Health and Human Services’ 18 element safe harbor list. And therefore, it would require patient authorization, which the websites did not request from users.

We’ve written previously about the broad definition of identifiable data used by HIPAA. In this case, these providers seemed to have been caught in the PHI’s very wide net.

In short: PHI is being sent from these websites to Facebook without patient permission. A big HIPAA violation.

Legal Questions

As a non-lawyer, this suit does raise an issue or two for me.

If you’re not a patient of a healthcare provider but use the site anyway, are you covered by HIPAA?

One argument I read is that if a hospital is a covered entity in the context of a patient-provider relationship, they’re a covered entity in all contexts, including the more typical user-website relationship.

So it doesn’t matter that you’re not a patient when browsing a hospital website: HIPAA would still apply!

The suit essentially says a hospital website can’t take online user information and send it to an ad network without violating HIPAA. If this claim is proven right, it will have enormous implications for the use of health and possibly non-health data by ad networks.

Facebook is clearly not a covered entity, so what did they do wrong?

The class-action suit says that Facebook violated state laws on health information, and — get this! — the federal Wiretap Act.

There’s a California law, for example, that requires explicit consent for health information to be sent to third parties. And if we use the broad PHI definition of identifiers, then Facebook could have violated that state’s law.

And the Wiretap law may kick in when you collect information over the Intertoobz without authorization. To me, though, this last one seems a bit of a — ahem — legal stretch.

This law suit is being closely watched by privacy pros. We’ll keep you posted if we hear anything new.

Confused by HIPAA? Then take our five-part email  HIPAA class. and soar like a legal eagle (or at least be able to answer a few legally related HIPAA questions).

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

5-things-privacy-experts-want-you-to-know-about-wearables
5 Things Privacy Experts Want You to Know About Wearables
There’s been a lot of news lately in the health and fitness wearables space. Apple just announced they’re releasing an app, called “Health,” as well as a cloud-based platform “Health...
ransomware-that-deletes-your-files
Ransomware That Deletes Your Files
Organizations with legal obligations to prevent data from improper alteration or destruction—I’m talking to you healthcare orgs that fall under HIPAA– really need to pay close attention to a new...
hhs-to-investigate-smaller-hipaa-privacy-breaches
HHS to Investigate Smaller HIPAA Privacy Breaches
As  a reader of this blog, you know all about Health and Human Services’ (HHS) wall of shame. That’s where breaches involving protected health information (PHI) affecting 500 or more...
is-microsoft-office-365-hipaa-compliant?
Is Microsoft Office 365 HIPAA Compliant?
Microsoft Office 365 is growing in popularity, but it can present some challenges to HIPAA compliance. Read on to learn more about Office 365 HIPAA compliance