Written by Fred Donovan on Health IT Security on April 17, 2018

During Congressional hearings last week, Rep. Marsha Blackburn (R-Tenn.) called on Facebook Chairman and CEO Mark Zuckerberg to support her bill, Balancing the Rights of Web Surfers Equally and Responsibly (BROWSER) Act, which would require companies like Facebook to improve protections for health data privacy and the privacy of other sensitive information. 

The bill (HR 2520) would authorize the Federal Trade Commission to enforce data privacy protections requiring providers of internet access service and “edge services,” like Facebook, to give users opt-in and/or opt-out approval rights for the use of, disclosure of, and access to sensitive user information.

The bill defines sensitive user information as healthcare information, financial information, information about children under 13, Social Security numbers, geolocation information, content of communications, web browsing history, or history of software or mobile app use.

Zuckerberg was called before Congress after revelations that the political research firm Cambridge Analytica gained access to data on 87 million Facebook users during the 2016 elections. But the issue of healthcare data privacy came up during the April 11 hearing before the House Energy and Commerce Committee.

Blackburn read a letter from one of her constituents, a benefits manager, who was “stunned” that the social media industry was not subject to privacy rules like HIPAA and other industry-specific privacy regulations.

“Will you commit to working with us to pass privacy legislation, to pass the BROWSER Act?” Blackburn asked.

Zuckerberg responded: “I’m not directly familiar with the details of that bill, but I think that regulation in this area…”

Blackburn cut off his response, saying: “Let’s get familiar with the details. You have to give consumers opt-in. My constituents in Tennessee want to know that they have a right to privacy, and we would hope that’s important to you all.”

Rep. Kathy Castor (D-Fla.) asked Zuckerberg: “You are collecting medical data on people that are on the Internet, whether they are Facebook users or not. Isn’t that right?” He responded, “Yes, we do collect some of that data.”

With revelations that Facebook has been in talks with healthcare organizations about sharing medical information about users, the company is likely to face a lot more scrutiny on Capitol Hill about its handling of health data.

The talks reportedly involved building profiles of Facebook users that include medical conditions, health providers they have used, and social and economic factors, CNBC reported.

Facebook asked several major US healthcare organizations to share anonymized data about patients, such as medical condition and prescription information, for a proposed research project. However, after the public storm around the Cambridge Analytica revelations, Facebook has put the project on hold.

"This work has not progressed past the planning phase, and we have not received, shared, or analyzed anyone's data," a Facebook spokesperson told CNBC.

The goal of the talks was to combine medical data held by healthcare organizations with socioeconomic data held by Facebook. The American College of Cardiology, one of the organizations Facebook was in talks with, defended the Facebook discussions.

“For the first time in history, people are sharing information about themselves online in ways that may help determine how to improve their health,” said interim CEO Cathleen Gates. “As part of its mission to transform cardiovascular care and improve heart health, the American College of Cardiology has been engaged in discussions with Facebook around the use of anonymized Facebook data, coupled with anonymized ACC data, to further scientific research on the ways social media can aid in the prevention and treatment of heart disease—the #1 cause of death in the world.”

“This partnership is in the very early phases as we work on both sides to ensure privacy, transparency and scientific rigor,” Gates continued. “No data has been shared between any parties.”

Not everyone is convinced that health data privacy is being considered in these talks. Aneesh Chopra, president of healthcare software company CareJourney and former White House chief technology officer, told CNBC that consumers would not have assumed their data would be used in that way.

“If Facebook moves head (with its plans), I would be wary of efforts that repurpose user data without explicit consent,” Chopra said.

Increased congressional and public scrutiny is likely to constrain Facebook’s discussion with healthcare organizations about sharing health data, anonymized or not, without the patient’s unambiguous consent.