> Former regulators, health data security experts, and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts.
> Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent.
You really think that HIPAA prohibits distributing any data at all, providing it has a fig leaf of being deidentified?
I mean, aside from Facebook, how do you think people do medical research? Data sets are available to the public.
Decades ago, somebody showed that deidentification was completely meaningless because with just a few data points almost everybody can be relinked.
You are probably the only person in your zip code, with your gender, and your birthdate (including the year).
Distributing that information with any medical record you ever had is not prevented by anything I know of. As long as your name and SSN is not with it.
illegal for hospitals to expose/sell this information. not illegal for FB to receive it. the moment hospitals/providers start selling it there will be some business out there trying to aggregate and data mine it. be it FB or google or amazon, the key thing is hospitals are break the law by exposing it even if they do it for some really silly instrumentation benefits.
> Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent.