Today we have HIPAA and Facebook and they're diametrically opposed. #CHIME16
— John Lynn (@techguy) November 3, 2016
I tweeted this from the CHIME Fall Forum last year, but the idea is still on my mind. First, are HIPAA and Facebook diametrically opposed? Second, if they are or they aren’t, what does that mean for healthcare?
I’m not sure the intent of the person who said that Facebook and HIPAA were diametrically opposed, but I think it’s a reasonable observation. Facebook cares about getting and sharing as much information about you as possible. HIPAA cares about trying to protect your information.
While I think this is fundamentally how these companies think, the reality of what they do is much closer than people would think at first glance. While Facebook certainly wants to collect all of your personal data, it also has become quite sophisticated in its efforts to allow you to control how your data is shared. This wasn’t something that came naturally to them, but was forced upon them by years of crazy indiscretions which forced their hand.
HIPAA has come from the other end. While HIPAA is the portability act and not the privacy act (common mistake), that’s not how it was viewed when it was implemented. Everyone in healthcare saw HIPAA as a way to inhibit data sharing as opposed to a way to provide a framework for secure data sharing. In many cases, that’s still how people use HIPAA today. However, we’re starting to see that change as healthcare organizations have realized that their organizations need to share data. While not as progressive as Facebook in their data sharing controls, healthcare has become much more specific about how, when, what, and where they share patient data.
While we can find plenty of privacy and security issues with Facebook and HIPAA, I’d argue that both of them have become much more sophisticated in their approach to privacy and security. I believe this trend will only continue to get better.
What does all of this mean for healthcare?
Healthcare can learn a lot from Facebook when it comes to creating sophisticated privacy options that put the patient in control of their health data and allow the patient to control if and when that data is shared. However, we shouldn’t be surprised when we implement these controls and patients start sharing in ways that might feel risky to us. We may want to consider even more training on these sophisticated sharing options than what Facebook did for their users.
No doubt there’s a power in health data and much of that power is unleashed when it’s shared with the right people. The best thing we can do to unleash this power isn’t to create a free for all data sharing approach, but instead to take a more sophisticated data sharing approach that puts the patient at the center of the decision making process.