Whose Privacy Policies Do We Know More About? Facebook’s or US Health IT Systems’?

By DEBORAH PEEL, MD

The Evolution of Facebook’s Privacy Policy

Today a new online journal, ‘Technology Science’, went live. Harvard Professor Latanya Sweeney is the Editor in Chief and Publisher. The project is funded by the Ford Foundation.

Harvard researchers used Patient Privacy Rights’ Privacy Trust Framework to measure, describe, and rate Facebook’s changes to its Privacy Policy through the years.  Their paper is listed second on the Technology Science homepage. Download free at: http://techscience.org/a/2015081102/

According to this new research paper, we know MORE about whether Facebooks’ Privacy Policies actually protect privacy (or not) than we do about US health-related or healthIT corporations.

Why is research on the effectiveness of Facebook’s Privacy Policies relevant to the US healthcare system?

The public thinks HIPAA protects the privacy of personal health data, and that every company holding or using personal health data must comply with HIPAA.

Evaluating and rating the Privacy Policies of health-related and HIT companies would enable the public to see and understand to what degree the privacy of personal health data is protected (or not) and whether HIPAA compliance guarantees the privacy of personal health information is protected (or not).

Suppose the Privacy Trust Framework’s principles and auditable criteriaare used to evaluate and rate current Privacy Policies of health-related and HIT websites: hospitals, ACOs, data clearinghouses, research institutions, the VA and DoD, data analytics companies (like the Advisory Board, Optum, and Mayo Bedside Analytics), ‘life sciences’ companies, institutional and private IRBs, EHRs (Epic, Cerner, Practice Fusion, Athena, etc), PHRs, HIEs, clinical practices, biobanks, 23andMe, health and fitness apps, health data suppliers (like IMS Health Holdings & Acxiom for example), WebMD, insurers and third party administrators (TPAs), PBMs, pharmacies, labs, x-ray facilities, etc, etc.  Then the public could see and understand which corporations they are willing to trust with their protected health information and also learn whether or HIPAA-compliant corporations protect data privacy (or not).

Harvard researchers Shore and Steinman could have chosen ANY framework for privacy and trust, but chose to use Patient Privacy Rights’ framework.

Ours is the only privacy trust framework that was developed by civil society health privacy experts and privacy advocacy organizations over 18 months. The expansion of Fair Information Practice Principles (FIPS) to 15 principles for health privacy was driven by about a dozen privacy & health privacy experts/advocacy organizations. The 73+ auditable criteria that prove adherence to the principles were created by technology experts from MSFT and a major international consulting firm.

Here’s a challenge for all US health-related and HIT corporations: Will you use Patient Privacy Rights’ Privacy Trust Frameworkto evaluate how well your Privacy Policy protects the privacy of patients’ health information? Will you post results for the public and the world to see?

Deborah Peel, MD is the Founder of Patient Privacy Rights an Austin-Texas based privacy rights group.