World Aghast at Facebook Data Scandal, But HIPAA Shares Private Patient Data Every Day

For Immediate Release
April 17, 2018

Citizens’ Council for Health Freedom: Under HIPAA, It Is Perfectly Lawful for Hospitals to Share Deidentified Patient Data with Facebook—and That Should Frighten Every American

ST. PAUL, Minn.—Headlines exploded when it was discovered that Facebook may have had a role in allowing a UK-based political data firm that worked for Donald Trump’s presidential campaign to improperly access data on 87 million people, CNN, among others, reported. Less than a month later, CNBC reported Facebook had a plan to match Facebook user data with patient data, which was put on hold after the previous leak was discovered.

Facebook founder Mark Zuckerberg was grilled for 10 hours last week on Capitol Hill regarding the furor of sharing users’ information without their consent. But Citizens’ Council for Health Freedom (CCHF) points to the irony that the Health Insurance Portability and Accountability Act (HIPAA) “no-privacy” rule shares American’s private, identifiable medical data every day.

HIPAA is a permissive disclosure rule allowing most information to be shared for many purposes without patient consent, said CCHF president and co-founder Twila Brase.

“HIPAA is not a privacy rule, but most Americans don’t know that,” Brase said. “And while having information shared unknowingly through Facebook is alarming, many Americans aren’t even aware that their private medical data is regularly being shared with others without their consent because of HIPAA, particularly for a long laundry list of health care operations unrelated to direct patient care. In fact, patient data can be shared for any reason as long as the federal deidentification standard of deleting 18 identifiers is followed—even though it still has some risk of identification, per HHS. Patient data can also be shared if only 16 identifiers are removed as long as an agreement to not reidentify the patients is signed. Even though Mark Zuckerberg has put his plan to match patient data with Facebook user data on hold, it is perfectly lawful for hospitals to share deidentified patient data with him under HIPAA—and that should frighten every American.”

According to Fortune, “The (Facebook) plan would have seen health organizations hand over patient information with key details, such as the patient’s name, obscured. This information would have been matched with the patient’s Facebook records to see if there is any information in there that could help treatment—for example, if an elderly patient doesn’t seem to have many friends, they may require more at-home care following surgery.”

Leading up to National DNA Day on April 25, CCHF will be educating Americans about how sharing their personal information—medical or genetic—can negatively impact their privacy. For example, many Americans are curious about their ancestors or which diseases run in their family.

“Dozens of genetic testing firms are happy to tell you,” writes Brase in a new op-ed for the Minneapolis Star Tribune. “But they’re less eager to divulge a different secret—how they share or sell your DNA samples. Testing companies write dense, confusing privacy policies that make it easy for consumers to unwittingly sign away the rights to their own genetic data.”

Read Brase’s entire commentary here.

CCHF has also been instrumental in working to protect Baby DNA and informing parents that states are collecting, storing and researching their baby’s genetic blueprints—often without their consent. Read more about CCHF’s Baby DNA work at www.ItsMyDNA.org.         

For more information about CCHF, visit www.cchfreedom.org, its Facebook page or its Twitter feed @CCHFreedom. Also view the media page for CCHFhere. For more about CCHF’s initiative The Wedge of Health Freedom, visit www.JointheWedge.com, The Wedge Facebook page or follow The Wedge on Twitter @wedgeoffreedom.

view pdf