Every day millions of people share their interests, photos, and locations on Facebook. So why not share how you are feeling—medically that is. At least that seems to be the idea behind Facebook’s rumored plans to provide a platform for healthcare services. This month, anonymous employees of the social networking company leaked information that Facebook is planning to develop health applications, allowing users to make healthy lifestyle choices and connect with “support communities.” As part of this program, users would have to disclose private health information to Facebook. We have previously examined Facebook’s policy of forwarding user information to online advertisers and its alleged violations of European Union’s privacy laws. Due to Facebook’s history of privacy issues, this potential health program has raised the concern of some attorneys, especially given the extremely sensitive nature of private health information.
The rumored program would involve users sharing certain health information with Facebook, which would then be used to connect the users to a “support community” of other users suffering from the same illness or condition. The idea is similar to other websites dedicated to putting people in touch with each other to openly discuss their health struggles. It is also likely spurred on by the recent success of Facebook’s organ donor program. The organ donor program directs users on how to become organ donors in their state and then allows them to share their registration on their profiles. The initiative was a huge success, with hundreds of thousands of users registering to be organ donors within days of its launch.
But the idea of sharing extremely personal ailments or embarrassing symptoms has some people feeling uneasy. Christopher Calabrese of the ACLU argues that Facebook’s past exploitation of users’ private information should make users reticent to hand out the intimate details of their health. The concern is especially great in light of the increasing value of healthcare information to hackers. The history of exploitation Mr. Calabrese refers to may include the case In re Facebook, in which the Northern District of California Court found Facebook not liable for sharing user information with advertisers. The court held that Facebook was not improperly divulging electronic communications, but instead merely “transmitting” the communication to the intended recipient when users clicked on third party advertisements found on the Facebook home page. For future users of Facebook’s potential healthcare applications, In re Facebook suggests that such users may be disclosing personal information at their own risk, and that Facebook’s subsequent sharing of the material would be within its authority.
Another cause for concern is that unlike breaches of privacy by a doctor, breaches by a private company would not be held to the same standards, leaving less impetus for Facebook to keep this data as secure. The Health Insurance Portability and Accountability Act (HIPAA) regulates use and disclosure of private health information, but applies only to “covered entities,” which include health care plans, healthcare clearinghouses, and certain medical service providers. HIPAA grants the Department of Health and Human Services Office of Civil Rights authority to impose heavy civil and criminal penalties on covered entities that violate the privacy rules. Since Facebook does not fall under the covered entity definition, actions brought against Facebook for any unauthorized sharing of health information would have to come under state law, with the results being difficult to predict. Given that this idea is still in its infancy, we have to wait and see how the program manifests and which legal issues arise.