I'll bite. What would be the options for keeping our PHI from being freely shared everywhere? You have to know that Facebook would love a piece of that.
First of all, I don't think HIPPA actually prevents PHI from being shared. If Facebook were to become a business partner of a hospital, and maintain HIPPA compliance themselves, hospitals can share data with Facebook.
To tackle the problem HIPPA tries to solve, that is making sure that data sharing is secure and only with the intended parties, I want to see stronger enforcement of liability. Granted, the US doesn't have a great track record on that, seeing Equifax get away with what their doing. But I think that's the system that needs to be improved.
Instead of government dictating what "secure" means, different approaches can be experimented with on the market with strong enforcement of liability providing the necessary incentives.
Then Facebook would become a Business Associate and would have to protect information in a variety of very strict ways and could face a fine of up to $10,000 per patient record, per violation. If they had 25 million health records and decided to target advertising to those people on two separate occasions, then they are liable for a fine of up to $500 billion. So sure, let Facebook get into health, it wouldn’t take long for them to run afoul of the law given their move-fast-break-things attitude.
Is targeting advertising based on health data a violation if the advertiser is a business associate and is not directly exposing the data to any non-covered entities?
I work for a healthcare software company (and previously worked for a healthcare system). In my experience, these regulations tend to be high-level: they're less interested in exactly how you meet the regulations, as long as you're meeting them. They focus much more on business processes than low-level technical details. I've found that, for the most part, common-sense industry-standard practices go at least 90% of the way toward meeting the regulations.
