The HIPAA Threat Tied to Online Patient Behavior

February 1, 2015

When patients "check in" via social media, it may help cyber-thieves check out their personal information, something practices should be aware of.

Have you ever used the "check in" application on Facebook to tell friends of the latest trendy restaurant you visited?  Psychologists say this behavior serves an important need in all of us. The "likes" provide much needed validation. According to a January 30 article in The Wall Street Journal, this same behavior serves an important need of cyber criminals.

The article, entitled "Even nameless data can reveal identity" warns, "Your shopping habits can expose who you are even when you are just one of a million nameless customers in a database of anonymous credit-card records." A study conducted by the Massachusetts Institute of Technology analyzed anonymous credit card transactions by 1.1 million people. "Using a new analytic formula, they needed only four bits of secondary information - metadata such as location or timing - to identify the unique individual purchasing patterns of 90 percent of the people involved, even when the data were scrubbed of any names, account numbers or other obvious identifiers," according to the article.

All the researches had to go on was the records of purchases over a period of three months by shoppers at 10,000 stores. The banks weren't named, the country wasn't named, and the shopper wasn't named; transactions were time-stamped with day of purchase and linked to the stores.""

According to the report, "After isolating a purchasing pattern, researchers said, an analyst could find the name of the person in question by matching their activity against other publicly available information such as profiles on LinkedIn and Facebook, Twitter messages that contain time and location information, and social-media 'check-in' apps such as Foursquare."

This should be doubling alarming for physicians and other medical practices. HIPAA, HITECH, and various state laws are enacted to protect some 18 different kinds of personal health information (PHI),"" including fingerprints, photographs, license plates and other seemingly nonsensical bits of information. The MIT study proves the definition of PHI may not be so nonsensical after all.

The article notes of the MIT research, "it is very, very, very difficult to remove any ability to identify people in these data sets, especially financial data," according to a quote from Joseph Hall, chief technologist at the Center for Democracy & Technology, a nonprofit that studies privacy and data issues.  "Data brokers who buy and collect very large quantities of information like this have the ability to take thousands of data points and pin those on individuals," Hall said.

Experts also warn that stolen medical data is much more valuable than stolen credit card information. Medical identity theft is much harder to detect and correcting the problem takes a great deal longer.   

The WSJ article reveals something CMS and HHS' Office of Civil Rights, the agency responsible for administering HIPAA, have known all along: Patients are serving up massive amounts of personal data to criminals every time they pay a bill, use a credit card, and yes, when they "check in" on Facebook.

While it is probably too much to hope that patients would stop using Facebook to "check in," you can protect yourself and your practice from liability under HIPAA and state laws modeled after HIPAA.  If you have not already performed a HIPAA compliance audit and adopted compliance, now is the time.  Once the patient's data is out in cyberspace, it is too late.