Turns out, Facebook’s creepy ability to recommend friends could be a new HIPAA Compliance issue.

HIPAA ComplianceA recent news article August 29, Kashmir Hill recounts detailed the story of a psychiatrist who started receiving friend suggestions for her patients on Facebook, and later found that one of her clients was getting friend recommendations for her other patients.

The psychiatrist, Lisa (her name was changed for confidentiality reasons), stated that she hadn’t sharedher email or phone contacts with Facebook, so how could the social media platform be making those connections. Then, to add to the issue, one of her patients informed her that he had been receiving recommendations for elderly individuals that he guessed had to be some of her other clients. When he showed her the recommendations, she did recognize a few of the individuals, but she knew that she couldn’t give a response for her clients’ privacy.

Another patient experienced a similar issue. This patient said that she had received a friend suggestion for someone she saw in the elevator at Lisa’s office. After recognizing the individual’s account, the patient was able to view that person’s online information thus gaining access to what was now protected health information because she was able to make the connection that the other person was another patient at Lisa’s office.

The main HIPAA compliance issue with these social-media-created connections is that now patients will not only recognize each other, which was an acceptable risk before, but they will know each other’s full names and whatever other information that is accessible online. Normally, if you sit in an office waiting to be seen, you might know a person’s first name and anything else they wish to give out to a stranger. With Facebook, you could learn a person’s full name, spouse’s and other relative’s names, etc. If people are unaware of the security aspects of Facebook, a complete stranger could see their posts and gather other information about them, possibly even why they visited the doctor’s office.

How did this happen?

Kashmir Hill, the writer, tried to determine how Lisa’s clients were being connected with one another. Hill reached out to Facebook for a little more information. At first, she thought it was based on the smartphone’s location and that Facebook was suggesting friends who were in the same place at the same time. However, Facebook claimed it used that method briefly in tests at the city level, suggesting they no longer use that method.

Finally, Lisa noticed that she had given Facebook her cellphone number. Many of her patients probably have that number in their contact lists. Consequently, even though Lisa didn’t share her contacts, her patients likely did, allowing Facebook to connect the two. Then, because Lisa was a common link between people, her patients were provided friend recommendations of other patients.

Due to the privacy issue involved, no one had information about the patients in order to conduct this investigation. Thus, Facebook stated that they could not corroborate this theory.

What is the takeaway here?

If you are a health care provider, we suggest not allowing Facebook access to your contacts or your phone number. You can turn off your location in your phone settings, so Facebook does not have access to that either. Additionally, we suggest not checking into a location, such as your health care office, where your patients might check in as well.

To learn more about other social media HIPAA compliance issues, sign up with HIPAAgps for full access to our training videos and other HIPAA compliance resources.