Last week, a complaint filed by the Federal Trade Commission (FTC) against the tech giant, Facebook Inc., was made public. The FTC stated that Facebook had allowed misleading health information disclosures. The complaint was brought before the FTC by cybersecurity researcher Fred Trotter, health care lawyer David Harlow, and patient advocates who have previously used Facebook’s closed groups.

The Complaint Against Facebook

The complaint originated with users that had been using groups touted by Facebook to be “closed”, “anonymous”, and “private” to disclose sensitive health information about themselves. The issue arose when personal information related to members of a women’s group centered around a specific gene mutation that could be related to a higher probability of developing breast cancer was allegedly found to be extremely easy to download in bulk. Other users with sensitive diagnoses also found that their data had been shared with advertisers who were then able to market to these users regarding the issues they believed to be protected within these so-called “private” groups.

Their Response

In response to these allegations, Congress is calling for Facebook to answer questions regarding the violations involving their PHR (groups) platform.

A Facebook representative pushed back against the accusations that the company misused this information in an email that stated: “Facebook is not an anonymous platform; real-name identity is at the center of the experience and always has been,” they continued by highlighting the inter-personal nature of Facebook as a service. “It’s intentionally clear to people that when they join any group on Facebook, other members of that group can see that they are a part of that community and can see the posts they choose to share with that community. There is value in being able to know who you’re having a conversation within a group, and we look forward to briefing the committee on this.”

What does this mean?

While Facebook isn’t bound by HIPAA, and so can’t violate the HIPAA regulations, they are subject to oversight from the FTC and could potentially face hefty fines if it is found that they inappropriately handled information that was solicited in these groups.

Users affected by this breach insist that because Facebook is encouraging the disclosure of sensitive health data in these groups, it should be required to notify users of breaches involving personal health records despite being free of supervision from HIPAA and the Office for Civil Rights (OCR).

Leaders of the Energy and Commerce Committee sent a letter to Facebook CEO Mark Zuckerberg which read: “Facebook’s systems lack transparency as to how they are able to gather personal information and synthesize that information into suggestions of relevant medical condition support groups.  Labeling these groups as closed or anonymous potentially misled Facebook users into joining these groups and revealing more personal information than they otherwise would have.

Facebook, or Zuckerberg, have yet to offer any official statements in response to the situation.

It is incredibly important that all businesses have a plan in place for how to suitably handle their customer’s private information, but it is even more critical when health information is included. Resources like the ones found at HIPAAgps can help prevent HIPAA violations and reduce breaches, like those allegedly committed by Facebook because of incorrect assumptions about information disclosure laws.