Social Media Leaves HIPAA Irrelevant

Posted on  April 19, 2018


In light of the recent recognition that on an almost global basis people’s private information is virtually an open book, one can only wonder if the protection of PHI, (Protected Health Information) that HIPAA meant to protect, is illusory. To the extent that emails and other communications meant for designated recipients are analyzed, scraped, aggregated and stored it is in the opinion of this author that the protection of PHI is illusory. Furthermore, internet search history is also used to develop profiles of an unsuspecting public. The fact that Facebook monitors internet activity even when the subscriber is logged off is enough to validate the fear that internet and social media users are subject to a level of privacy intrusion that most of us think is unimaginable.

Health providers – covered entities and their downstream counterparts dealing with PHI – must jump through regulatory hoops regarding the storage of and limitations on the dissemination of information. Apparently, to a large extent this information is already in the hands of numerous social media outlets without any legal restrictions on the aggregation, storage or dissemination of the information which most certainly contains at least part of the medical information that HIPAA and HITECH control.

The sad truth is that the scale and scope of data that is aggregated by various social media portals is staggering. It is reasonable that included in the information available for purchase and information that has been scraped and available to anyone willing to pay is medical related information. In light of this, one can only wonder why the medical profession is being subject to the rigors of HIPAA to protect patients’ information when there apparently is a door wide enough through which to drive a truck.

Without harping on the Facebook issue, there are five points I would like to make.

  1. The Facebook issue underscores the fact that the most sensitive personal data is aggregated by entities, generally classified as social media outlets, and those outlets are not subject to the legal protection that PHI enjoys under HIPAA.
  2. The aggregators have shared this data with marketers, advertisers and researchers without any idea how or the extent to which the information would be used.
  3. Listening to the Senate interview of Mark Zuckerberg, it is apparent that the government is only now, in 2018, taking a stab at understanding how and to what extent this information was available.
  4. As opposed to HIPAA, which started with legislation, the only formalized requirement for privacy before HIPAA was possibly the Hippocratic Oath; on the other hand, social media giants are being asked to develop protocols, which at best, they will self-govern.  Only if they fail will the government intervene.
  5. In response to the massive data issue at Facebook, social media companies are primarily being questioned about how they share their data, but the predicate question about the aggregation of data and how it is stored or protected is not even being questioned.

Why? The answer that seems to be forthcoming is that we do not want to stifle development, social media is free, and the social media portals must have a revenue source. When the mention of fees for use is brought to the table, however, it is viewed as a nonstarter. My question is why? Maybe there should be nominal fees for communication like telephone once was and disallowing the aggregation of data, so that when someone goes on a social media site, they will only transmit data to those people that they choose to, and no data will be aggregated.


Bottom line.

Why are doctors or covered entities and their downstream conterparts subject to the protocols, costs, statutes, and staggering fines when a good part of the information is apparently in the seemingly unrestricted hands of social media companies as aggregated data?

Imagine a medical provider offering the excuses/apologies offered by Mark Zuckerberg and how well they would go over with the government in the event of a HIPAA breach!

“I apologize for any harm done,” November 2003 after closing FaceMash.

“This was a big mistake on our part and I’m sorry for it,” September 2006 on News Feed feature.

“I ask for forgiveness and I will work to do better,” September 2017, on election interference on Facebook.

”This was a breach of trust and I’m sorry,” March 25, 2018 newspaper ads apologizing for Cambridge Analytica data breach.

“It was my mistake, and I’m sorry,” April 10 testimony to Congress.

It seems that doctors and the medical community as a whole are the group that the government “loves to hate.”

Examples of this treatment of the medical profession are HIPAA, the default position that doctors are suspected of improper referrals, and how the opioid crisis seems to be laid at the feet of doctors and pharmacy companies.

With the large number of doctors practicing, there may be some bad apples, but why as a whole are people who have dedicated their lives to helping others, who have made great financial sacrifice to put themselves through school, and are members of an honorable profession treated as guilty until proven innocent?

What do you think?

Bookmark This Page

Comments 54

  1. As long as Facebook is paying taxes I am sure there is a degree of leniency. Somehow in the US the rich keep getting richer, don’t they? I don’t even want to guess what else the public doesn’t know about Facebook, unauthorized personal information used, or the government in general. It’s all a circus.

    1. Your concern is valid! But, if the personal data of a patient will become public without patient’s authorization remains to be proven. I do not think people with less knowledge in the business can make laws to prevent these “leaks” since the “master of the universe” will be able to find a solution. In my opinion , when such a think will take place, Facebook e.g. should be fined heavily. It will not be repeated, I assure you!

  2. I’m not sure I agree with your conclusion. I can see how the massive data scraping could reveal the identity of a patient’s medical provider and perhaps upcoming medical appointments (received via emails or text messages), I fail to understand how additional information regarding a patient’s medical history, diagnosis, prognosis is easily obtained.
    That said, thanks for providing some food for thought.

  3. Great article! There are some very valid points I had not considered, thank you for making me “think”.

  4. Security and patient data is still vague and it will be more as we the advancement of patient portals from leading EMR such Epic, cerner,,, etc.

    1. Security and patient data is very clearly identified in HIPAA. Patient portals offered by healthcare providers must comply with the HIPAA Privacy, Security and Breach Notification Rules.

      Individuals often share their personal health information they believe are ‘patient portals’ groups on social media site. None of these groups are bound by HIPAA and any personal information shared is done so at risk.

  5. I think it’s a common issue at this stage of developpment of data science and artificial intelligence. On the top of this are financal and medical institutes which have access to large amount of information.
    From my point of view the solutions can be found by 1) implementation of more strict rules of collection and usage of the information, and 2) self-organisation of market players by consideration of higher ethic behavior.

  6. We have to be smarter be not post intimate or personal data. Almost if you use privacy setting you can select what you wish public to read/view vs people you trust. Be wiser add people you know or are well known or referred by colleague. If you add a stranger that’s ok but if you notice strange behavior Just remove. I think most social media FB , Twitter LinkedIn are safe if you are careful and report unusual stuff the provider investigates and gets back to you. Just don’t ever post your $$ info or SS# or things that can be used to hack your Acct or personate you! I recommend signing up with Life Lock to protect your identification.

    1. Very thoughtful and smart response. It is important to be very cautious on social media. Ultimately people are losing trust in social media given Facebook’s current status of personal data not being private. Thank you for sharing the info about life lock protection.

  7. Some very compelling points that underscore the epidemic of provider burn out and an almost universal hatred for EMR. Regulatory has a choke hold on innovation in healthcare.. Doctors guilty until proven innocent? Paying for sins of the past?

  8. While I agree to ask the points you made, the only real difference is, the people and organizations in healthcare have agreed to/committed to keeping that information protected. Other data collectors or sources are not required to do so. It would be on the customer or patient to know where their information might be collected and to take steps to protect themselves.
    If I had the author’s private information (I don’t 🙂 ), health related or otherwise, it might not be moral for me to share it, but I have no legal obligation nor have I agreed not to share it.
    Perhaps HIPAA laws should be extended to apply to content, for anyone who holds the information, rather than on the holder of the information.

  9. Privacy has been eaten away in every area, until it is no more than a hope…
    Everything gets hacked, & distributed, or just posted by fools, political actors or criminals.
    Identity theft is ubiquitous…

    The idea that the Govt will protect our privacy is so funny, since often they expose it; helped by media, groups with sometimes bizarre agendas, & personal enemies, etc.

    A new construct is needed, for what is private & how to address & often correct it when it is public.

  10. You make some very valid points in this article and while for the most part, I tend to agree, I believe it is a very different issue-comparing PHI breaches via medical professional mishaps, to general data( name, address, DOB, etc) that gets through most social media sites. It is however a fair statement to say that the medical professionals that dedicate their lives to helping and serving others are way more scrutinized than say, the Mark Zuckerberg’s of the world. I also see where we as a nation continue to forgive those who hurt others as long as they continue to drive dollars in their doors and provide to us what we feel is a service that should always be FREE. Until we change the public’s mindset ( that will be a challenge in and of itself) I don’t see this improving – I loved your article and perspective.

  11. While the behavior of those who control access to social media data is appalling, it doesn’t absolve health care providers and facilities from the ethical responsibility for confidentiality. That responsibility is defined and mandated in HIPAA, HITECH, and related legislation. Unethical behavior by some does not excuse unethical behavior by all. While adjustments to improve the practical implications of these laws would be welcome, it is a fundamental responsibility of all who care for patients to maintain strict confidentiality and use their patients’ information only in ethical ways that benefit the patient or, in the case of research, society. HIPAA is not irrelevant. It is driving culture change by reminding providers to respect and defend patient privacy and autonomy.

  12. Private health information is the burden of the licensed medical/mental health provider, not social media. I have written about and long used online digital services models to treat patients; these sevices are done in “black web”, secure, user to user encyrptions. Traffic to and from a website is data and it is gathered. In HIPAA compliant platforms, data is end to end only. The public, as they have always dive, can self identify health information; when they do so in non-encrypted platforms unfortunately the onus is on them – not the provider or the data tracking companies. Facebook is a public forum – whether users know that data is harvested not, the publicity of it (along with blogs, instagram, linkedin, twitter, google, etc) is known. The resharing of data is known. To say that HIPAA is illusory suggests the mental health expert is responsible for where and what clients say on social media. This is not anymore true online than when a client introduces themselves to their therapist at a restaurant. The health professional must use discretion in all media; this is not new. If a client outs their information online connected to a provider, the provider may respond privately to the client or take no action at all; providers are using non-secure platforms, because as you have said it’s free. Providers are obligated to use secure HIPAA compliant platforms for any medical information sharing. Again, the onus is and always has been on providers. We can call a client; we can direct them to private plaforms. Skype is not HIPAA compliant. There are video platforms that are. Information has long been shared without clients knowledge in this country. Health insurance companies have long reported diagnoses’ to a national non-profit for risk tallies to limit or change rates (ie: buy life insurance and that database is checked before policies are issued to limit or alter coverage). Billing insurance is a data aggregate file aharing system! Facebook, blogs, instagram, pintrest, twitter, linkedin … these are not the problem in PHI and HIPAA. The ill informed or follying provider, responding in a non-secure platform … they are the problem. The solution? Providers must use and ditect online traffic to HIPAA secure platforms, it’s really that simple. What about breaches? Business services agreements cover this and HIPAA has legally required steps when data that identifies a patient (by the provider) occurs on accident or on purpose. Which takes us back to compliance.

  13. My fear is that with the advancement of electronic medical recording systems, patient portals and the ease of interconnection of theses health information storage systems, patients may become a bit leery about full disclosure of their medical histories with the underlying fear that it could end up in the wrong hands and God forbid…used for unintended purposes other than efficient healthcare delivery.

  14. Wow! A lot of great points were made. Some I agree with, some not so much. Please feel free to post this if you want. (But please post all or none of it.)
    I agree w the author in that “government seems to ‘love to hate’ doctors and the medical community.” I would add that the “average person” also “loves to hate” physicians and the medical community. That being said, most people, in my opinion, are rather ignorant as to what goes on “behind the scenes” in medicine. Most people have no clue as to the sacrifices that physicians, etc. make, day-in and day-out. “They” “see” (physicians) as an uber-wealthy body of people who do nothing but “take.” (Needless to say, in my opinion, that couldn’t be further than the truth!)
    With regard to HIPPA and the five points: First, in my opinion, HIPPA was always a false sense of security. I agree that no ones personal information is really personal; and/but, I don’t think it matters. I sold MANY pharmaceutical and biotech drugs. I knew that if x,y,z patient was prescribed Tysabri, that patient had MS. I knew that if someone was prescribed Diflucan, 150mg, she had a vaginal yeast infection. There goes HIPPA!! But, who cares? And, with regard to data collected, I wish (and I still hope) that the medical community will figure out a way to use the data collected. Medicine could grow leaps and bounds if/when “someone” puts together an algorithm of sorts and does retrospective meta-analyses with that data.
    Also, we all know that physicians didn’t “cause” the opioid crisis. No one was “forced” to take an opioid. People/patients made a conscious decision to continue to take a prescription drug, knowing they didn’t “need” it anymore. At the end of the day, we all make good and bad choices. Still, the choice is ours. My point is: Who cares about privacy and HIPPA? And, why? We (society) can go through life thinking that “labels” mean something. They don’t. It’s a label. “We” can either embrace the labels we like and walk away from those we don’t; or, we can become a victim of a label that someone else puts on us. We make choices in life. I agree that we have no privacy. Who do we want to hide from anyone? When and if we embrace what IS, the rest doesn’t really matter, right?

  15. A good discussion

    You see some truly cringeworthy posts and shares on facebook. It makes you wonder what is going on in peoples heads.

    I think a different standard has to be applied to the medical community and we do have an obligation to protect pt information.

    That said, if Mr. Smith wants to walk down main street with a sandwich board listing his medical conditions, post them on facebook for the world to see, or create a blog for people with the same condition to share information then Mr. Smith has the right to so (First amendment).

    All of social media facilitates information bad, good, even ill advised. The individual posting has to bear the responsibility. Many positive stories (testimonials) are put out there by medical groups and hospital systems but always with proper releases and pt permission.

    So the way I have always seen it is we (medical professionals) do not have the right to divulge this information we are charged with protecting it.

  16. Very interesting article and comments. I believe you are right and for the most part the idea of Health related data being private is an illusion. It obviously appears that the different insurance carriers share information about the patients, even carriers that are not part of the same “network”. They use to call it the “Insurance Bank” where they shared data on each soul or unit or head. That was one of the ways they could deny your policy for finding out you received care from another carrier for “headaches” and then 10 years later when your admitted to the Hospital your coverage for the brain tumor admission/surgery is denied as preexisting. Of course they say there is no pre existing anymore, but they still have ways around that and all kinds of ways to cancel your policies if they want. They can easily get a hold of any ICD-9 or 10 to get you diagnosis for treatment since we know several of the insurance carriers have been hacked (including at least two that I have had) and see what you been getting treatment for. Also, if your doctors office makes billing and dx coding mistakes such as giving you the dx of breast cancer or prostate cancer instead of uncertain behavior of tumor ( remember the old days r/o cancer?) you can still end up with cancer on your list of diseases for years and you would never know it, until one day you find out why they are charging you more for your policy or you get denied for coverage issues.

  17. I understand your comment and empathize with physicians and healthcare facilities working to master the many and varied regulations under HIPAA. However, the regulations are still needed. Review of the reported cases posted to Office of Civil rights “Wall of Shame”, you’ll find that since the start of reporting in 2009, over 175 million individuals were affected by a breach. That is half of the U.S. population who have experienced a loss of personal data.

    I think some responsibilities sits with the rapid conversion of healthcare use of EHR, texting, and other electronic devices. Though EHR’s have been around for a while, it wasn’t until 2014-2015, where many physician offices seriously started implementing electronic health records. The learning curve in the use of these programs and the security of systems opened a whole set of concerns that still are not being addressed by many medical facilities.

    Further development of cyber and internet law is needed. The focus should be in developing laws that allow enforcement of monetary and criminal penalties on cyber-criminals. The GDPR, General Data Protection Regulation of the EU should be expanded to cover the development of international law, creating the ability to catch and penalize cyber-criminals when found in countries outside your own nation’s borders.

    Laws also need to address social media companies, such as Facebook, who should not be allowed to simply apologize for the information taken from their servers, but face some real fines levied against them.

  18. I have empathy for anyone who is truely in the trenches working as a health professional to save lives in an honorable way. I see zero excuses for the Facebook privacy breaches. Zero. Comparing the legal assets and legal resources available to avoid a HIPPA or privacy mistake between a huge company aka momopoly like facebook and what even a private doctor vs. Public Health Clinic might have is ridiculous. Comparing what motivates these professionals to get out of bed Ebert day might also be note worthy. We are losing our daughters and sons and neighbors to addiction.

  19. For those concerned with privacy issues, be aware that the horse has already left the barn! All our financial, banking, credit information is handled offshore. Remember “Peggy”? Well he/she is still there, still handling your cell phone & computer support service, your house & car loans, your internet, your public utilities – you name it. We’ve known all this for years!

    Is it really any wonder that the name of the game – any game – is aggregating information about the every day consumer for a price? There’s big money for collecting this kind of information, and once again we are being made aware. Only very recently it’s been discovered that access to DNA records is being sought and used for law enforcement. How soon before it’s sought & used for other reasons such as denying a person healthcare coverage based on what could be, not what is? We’ve already seen denials based on what was (pre-existing conditions).

    Enter the healthcare industry who, in the interest of “cost saving measures” allows hospitals, medical insurance companies, and other healthcare providers/entities to send all that PHI and financial information offshore to businesses (think India, Pakistan, Philippines, Brazil and who else knows where??) who cannot, and never will, be held accountable by USA laws because they’re unenforceable off USA soil.

    Let’s add some insult to injury here: how many physicians aren’t even aware that the billing company with whom they are dealing is “selling off” the work to unknown, unmentioned entities offshore? Those of us who’ve been in the industry long enough have pretty much all dealt with endless appeals of offshore people trying to get our passwords & accesses for the promise of splitting the payment we receive as we do nothing while they do all the work, but I digress.

    Better for you to ask: if the HIPAA laws are not enforceable beyond US borders and we ALL know it, do these laws need to be updated? Are these ancient laws designed for today’s society? NO, they are not.

    True, HIPAA is meant to protect what the average USA citizen/worker/healthcare provider/entity does with PHI, but when a breach occurs it is the American hospital or physician who bears the cost and subsequent penalty. No BAA can or will protect the USA citizen for what is done offshore. For example: the hospital that offshores its PHI to another country finds its computers have been hacked, they pay a penalty or fine plus they must bear the expense to clean up the mess or they leave the expense to the patients who find their own personal, financial and healthcare information compromised down the road.

    How big is this problem, you ask? See here, you tell me:

    This brings us back to your assertion that HIPAA is illusory. If the average, every day person cannot be really protected by these “privacy” laws on just about any level, then yes, your assertion that HIPAA is illusory is dead on, but it goes well above and beyond social media. “Peggy” is very much alive and well and still working.

  20. Interesting post. I do believe we have illuminated the problem. I have concerns laying the blame solely with Zuckerberg as so many people post vast amounts of information about themselves on social media period. I am aware that many corporations and businesses have data breaches including Experian and many other employers who had ? in place to protect our personal unposted data. I believe HIPPA has always meant to be helpful, however often quite convoluted and in some cases harmful. You are right, health care providers are often ruthlessly prosecuted, without any intent of violation or harm. Again… so many questions, but what we need, is answers and a more up to date way to protect PHI.

  21. I think a large part of what your missing that you could have highlighted is the number of HIPPA breaches that occur each year and cost some medical facilities into the hundreds of thousands of dollars. Even a simple breach. You choose to use Facebook or social media platforms and you run a risk.
    I am not saying that they should be allowed to tap into your medical data or purchase private information but we live in an age where it’s normal to ask Siri or Alexa something. Do we really think the companies that produce those products don’t want to know who’s asking for what? Maybe it’s time we just stop penalizing the healthcare system so heavily on protecting HIPPA and keep moving on with our day.

  22. While Hippa is extremely important in the addiction and mental health field it is been more of a hindrance on better outcomes. Obviously people should have the right not to have the personal information disseminated to anyone but are not allowing providers in a persons life to communicate with each other without the express written consent of the client it is extremely hard to coordinate care and to help someone. And example is if a client of our agencies case management department is having a crisis of some kind and we need to involve the therapist or psychiatrist, works for another agency, instead of being able to have an open conversation despite having sign consent forms we have to get past the secretary who is afraid of losing her job unless her blanket statement is I’m sorry I can’t confirm or deny that the patient is with our agency. This is just one example but there are many different variables of this conversation that happen every single day and get in the way of good care. We have also cut out family members, who are vital to the health and well-being of 18 to 25-year-olds with a mental illness or an addiction. If that 18 or 25-year-old will not sign a consent form for the clinicians or doctors to talk with the parents, which happens all the time, the parents feel hopeless and the clinicians and doctors cannot rely on the family support necessary for someone to recover.

    Your points around social media needing to be more secure a very accurate. However we live in a very open society where someone somewhere knows everything about you. And someways if the stigma around medical concerns mental illness or addiction could be lifted we would all be in a better place. However there’s too much judgment and discrimination which is ultimately where all of this privacy has been demanded in the medical world.

  23. I think you hit the nail on the head with HIPAA, privacy, and security being illusory. Hospitals create policies, procedures, and technologies to assist with protecting PHI. However, there is no clear way to “prevent” breaches in security if what we are trying to do is protect information. Legislation doesn’t begin to scratch the surface on confidentiality (with anything, let alone PHI). One could argue that it really started with the HIV/AIDS epidemic (or any infectious disease). Clinicians are mandated to report infectious disease for the public good and one could see that as a “breach” since they are also mandated to use names (individual autonomy vs. public beneficence). But looking at the bigger picture, once information is “out there” in any format, it is out there and subject to distribution. I am, however, not convinced that the information age is the root cause… it just made it easier.

  24. Good food for thought. I totally concur on the social media debacle, but I think PHI is much better protected by physicians and health systems than you portray in this well written article. I wish you had delved further into whatever research you have to support your statement indicating the contrary: “Apparently, to a large extent this information is already in the hands of numerous social media outlets without any legal restrictions on the aggregation, storage or dissemination of the information which most certainly contains at least part of the medical information that HIPAA and HITECH control. “

  25. Understand ling and processing patient health or managing pathology is not as easier as “stealing” a web user’s cookies, search queries, or post. Social media and internet usage today cannot easily give us patient’s vitals or past medical history, ect..

  26. Tracy,
    There is a big difference in doctors and or their downstream counterparts subject to the protocols, costs, statutes, and staggering fines because when I am at my most valuable, I want to count on my information being “Protected”.

    As new media, technologies come forward, they too must be regulated, and added to paying a cost when they monetize my private information. There is a big difference in Facebook using my personal information, then my doctor giving it to drug companies, other to make money off of my grief!

    We got to get this right, but don’t add Providers are the obligation to use secure HIPAA compliant platforms for any medical information sharing. It’s like saying, they are doing it, why can’t we? You know, they would if they can get away with it!

  27. This is an interesting article but the reality is that healthcare providers remain under HIPAA and it is unlikely that PHI will become unprotected ever. There are solutions on the horizon that will make data compromise much more difficult or at least make the likelihood much less concerning. If you look at the advancements in block-chain solution and how that will be leveraged in healthcare it is very promising. Take a look at and see where this is headed. THere are a lot of smart people and a lot of money being poured into this.

    Thanks for the thoughtful post!

  28. It is certainly true that much of our information is lost on Facebook and other Social Media Sites. There can be no doubt of this. If our entire Federal Government can’t protect an election, clearly online information is vulnerable.

    However, does this mean that we should stop using online records? Most doctors are using or starting to use online records. These are web based and known to be at risk. I would think this is a much easier way to steal information, particularly if detailed text is desired.

    The problem with suggesting the we abandon HIPAA for this reason is ridiculous. The value of HIPAA is often questioned for unrelated issues, including how difficult it makes things, but abandoning our ATTEMPT for privacy must be maximized without damaging patient care. Using online record systems, will have way, way more data than any Social Media might.

    The internet is a new world in many ways, but the “good guys” meaning patient privacy, not just HIPAA, must be at the very least attempted. HIPAA needs improvement and it will get better. Regardless it is the current standard of care all healthcare providers must abide to. For the most part, patients want this and they certainly want the perception of privacy. We all turn our heads not to see what we do not want to see and our data is being stolen everywhere and all the time. Again, that does not mean we should not strive for as perfect privacy as we can do and live with

  29. This is a great article to start a conversation but I am not sure if the evidence was presented. If a doctor tells the waiting room his patient has cancer its a HIPPA violation, but if the patient walks out and yells I have cancer- no HIPPA violation, that was the patients choice. Same thing for social media- if you go facebook and post that you have cancer, that is on you. When you sign up for social media it is made very clear that it is a trade that they will tell big corporations your interests, such as you always click on Nike sneakers, so you will get more Nike sneaker ads. However, I have never seen an attempt to ask me any health information at all. In order to prove your point we would need evidence that when I search for medical needs such as cancer doctors, the social media groups are sending out significant indications to corporations that they believe I have cancer. If this is the case, then you have more of a point. I may have missed if this is where you were going.

  30. Thanks for reaching out. I mostly agree with the points of the article, but I view this issue from a broader perspective of a conflicted American culture. We are at the dawn of the next industrial revolution that will likely last more than a few decades. This event is reshaping our culture

    I remember watching the Bill Clinton Monica Lewinsky scandal on TV when I was in high school, and thinking nobody can get away with anything anymore. Transparency will replace privacy. And it is. Without getting into too much of a rant, I believe that pointing the finger at Zuckerberg for pulling the rug out from HIPAA legislation is just a byproduct of a larger cultural shift away from traditional American values. Freedom and privacy. The advent of blockchain may provide a solution to this paradox, but it’s evolution and adoption will shift the paradigm for all business. Please let me know what you think. With that said, I’m happy to share this article to see what others think.

    1. I agree with you, that this is part of the new “wild West“ and that there are far reaching and significant questions that have to be answered, as well as many questions that we have not yet reached.

  31. 20 years ago, I was an Executive at an “information compiling” company. Using compiled information is nothing new. If you drive a car, own property, are registered to vote, have a credit card, are married (or divorced), have a warranty on your refrigerator, have ever had a speeding ticket… your info has been available to anyone at a price.

    A few years ago, I sold medical software to major Medical Centers. Certainly medical info privacy is better than it once was, but no matter which hospitals I visited, wide open patient charts and forms were frequently lying around for all to see. It was not all that unusual for Hospitals’ patient databases to be hacked…

    Today I own an Executive recruiting business. For $19/month, I can look anyone up, see their current address, previous addresses, who lives in the house with them, their age, current and previous phone numbers, all their misdemeanors, felonies (including the charges), a picture of their house, a map of how to get there, their profile pictures from their social media accounts… and probably more info I can’t recall right now. It’s all public info… and it’s been available for a very long time. Companies that compile info have been in business (and doing quite well) for decades.

    So I don’t really “get” all the private info hullabaloo and why people are so gobsmacked.

  32. I totally agree with Kevin.I wasn’t sure if you were suggesting that HIPAA regulations were not necessary.They certainly do not apply to social media.And they are extremely valuable in setting the expectation that confidentiality and privacy be maintained with regards to medical records.I do have concerns however regarding the databases used by insurance companies which somehow access your medical information available to insurers in determining your insurance risk. How is this data made available without compromising HIPAA and privacy regulation?

  33. It’s also not uncommon for clinical research sites to have subjects sign a HIPAA release that completely eliminates privacy protections. So subjects may actually have less protection than before HIPAA was passed.

  34. A very interesting debate and highlights difference of option. It is the irony of our nation that on one hand we risk ourselves to identity theft in exchange of popularity on social media and on the other hand suffer from an expensive but not patient centered medical care due to limited information and barriers in acquiring care sensitive information in real time. I guess we as people have to decide whether we are ok with either or none scenario with proper use of information technology to allow real time sharing of information between different health entities to provide patient centered high value care.

  35. Yes ,as time change we have to make changes in our law
    It’s important this DNA age
    Privacy is important HIPA
    Stop some time good things to be happen for our health

  36. I agree with the points of concern raised by you in your article but beg to differ with your inference. We need to strengthen laws regarding personal medical history and make it obligatory that anyone spreading; selling or misusing medical data would be prosecuted to full extent of the law. The price for selling personal sensitive data should be so detrimental that people and organizations indulging in such activities could be easily subject to lawsuits and financial liabilities. Fast track justice should be provided for such crimes and bar of providing documentation and proof of innocence should be on the organization and NOT individuals bringing the claim. There should be NO detrimental personal or financial implications on individual plaintiffs even if their claim is proven wrong. PS: Strengthen Laws Protecting Personal Sensitive Data and make sure it is implemented in a FAST TRACK MANNER. Repeat offenders of Personal Sensitive Data should have their license to do business cancelled and not allowed to open alternate companies. Simple Laws to DETER MISCREANTS if IMPLEMENTED effectively will do the job.

  37. The article has excellent points. The role of HIPPA is to protect PPI, but it has its own set of ongoing challenges. Strategies to protect individuals private information on social media sites that is aggregated, stored and then sold by said sites without consumer knowledge will remain a challenge since an apology to the government seems to suffice.

  38. You are absolutely correct. In fact,, HIPAA was never about patient privacy but an excuse for govt and insurers to access private medical information. Look at the penalties for not reporting a breach of privacy, $50 K for one offense and over $1M for repeated violations. Sounds like a third world dictatorship. Thank you Donna Shalala and Tommy Thompson!

Leave a Reply

Your email address will not be published.