Privacy & Data Security Law News

Facebook, Big Tech Hedge Privacy Risks in Online Support Groups

June 20, 2019, 8:46 AM

An oncologist with a rare form of cancer and an attorney seeking help for his disabled son both rely on social media platforms to connect to others suffering heartache and seeking answers in tough times. They find help in Facebook Inc.'s health support groups, being part of a global network connecting millions in need of resources and reassurance.

But the social media giant is limiting its liability in the event a third party leaks health support seekers’ personal information or posts it without their permission. As Facebook and other companies expand into the digital health world, they’re passing the legal buck to online group moderators and users or hiding behind outdated federal health privacy laws, privacy attorneys said.

Big tech giants generally don’t have to follow federal health privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) and their state equivalents as long as they don’t offer medical services. Facebook can avoid direct liability for user posts by making user moderators responsible for following platform privacy rules and redacting sensitive health data.

“Because there aren’t health privacy laws for social media, they must rely on Facebook’s” and other tech giant’s general privacy policies, Dena Mendelsohn, senior policy counsel at Consumer Reports, said in an interview.

A social media platform’s privacy policy generally limits the company’s liability from content posted by users, Timothy Butler, privacy attorney at Troutman Sanders in Atlanta, said. That can leave users stuck in a tricky situation figuring out whether privacy or contract claims can be brought against moderators for posting health data without permission or outside of a group’s rules, he said.

‘Gift’ to Users

Facebook’s health support groups aim to provide refuge for millions seeking important medical help. They enjoy strong support from users, even in the wake of data privacy scandals, members of Facebook support groups said in interviews.

Mark Lewis, an oncologist with a rare tumor syndrome called MEN1, has co-run a Facebook support group for a decade. The group helps more than 2,000 members affected by the rare disease. Health support groups have been “enormously helpful for peer support and dissemination of curated medical information,” Lewis said.

Butler also uses Facebook’s groups to find support for his child with a disability. The health support groups are a “gift,” he said.

But hiding behind the seemingly altruistic health offerings are legal shields and outdated health privacy laws that limit the risk to big tech companies, privacy attorneys and advocates said.

Community leaders “have the risk,” Hema Budaraju, product management director for the company’s Social Good team, said in an interview. Facebook provides community leaders with privacy education tools and a source for administrators to choose the correct privacy settings, she said. Users and moderators should follow Facebook global privacy policy and adjust their content settings, she said.

Facebook and other platforms don’t control what users post in health support groups and doesn’t moderate the forums for any potential health privacy issues, a person familiar with the groups said on the condition of anonymity. Facebook also doesn’t collect confidential health data for any individual or company in the health support groups and only provides the platform, the source said.

There may never be a perfect solution to solve the social media health privacy quandary. Tech companies need to balance their needs with consumer privacy expectations, privacy attorneys said. Users, too, should also learn about what each platform’s privacy protections are, they said.

“Facebook built a town square, where people can share their lives and thoughts with the world,” Butler said. “But, now, some people are trying to convert that town square into a living room, where they can have intimate and private conversations about some of the most important parts of their lives.”

“Facebook has to catch up with those people,” Butler, who uses health groups to find information relating to his child’s disability, said.

Limited Privacy Risks

Writers of HIPAA, enacted in 1996, didn’t envision large tech companies providing digital health services and scooping up users’ medical information on their platforms.

“HIPAA applies to healthcare providers, healthcare plans and clearinghouses, not to any random company that collects data about your physical or mental health,” Lindsey Barrett, staff attorney and teaching fellow at Georgetown Law’s Communications and Technology Clinic, said.

Companies will say they’re complying with applicable health privacy laws, “but that’s because the law is woefully inadequate, not because their practices are necessarily ethical or prudent,” Barrett said.

Providing direct medical advice, giving out medication, or collecting specific medical records can get companies in trouble, privacy attorneys said. The act of simply collecting some health information, like heart rate, daily steps, blood pressure data, and offering support groups doesn’t expose big tech giants to federal health liability, they said.

HIPAA doesn’t generally “apply to tech companies that receive data directly from consumers,” Butler said.

Companies like Facebook have global privacy policies that generally say they reasonably protect user data and will they’ll will only use consumer data in certain instances and with permission. And Facebook says it doesn’t collect user data in health support groups.

But Facebook, along with its rivals, could face government scrutiny if they mislead consumers about privacy protections. The Federal Trade Commission could bring a case against any tech company that misleads or deceives consumers, typically by failing to protect user data or live up to its own privacy policy.

And that type of scrutiny would compound the problems Facebook and other tech giants are facing, as they endure multiple federal investigations for alleged privacy failures and potentially misleading their users.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editors responsible for this story: Keith Perine at kperine@bloomberglaw.com; Cheryl Saenz at csaenz@bloombergtax.com

To read more articles log in. To learn more about a subscription click here.