Health Social Networking Sites and Inherent Risks to PHI

Many Social Networking Sites Lack Enough Information for Users to Make Privacy-sensitive Decisions

In an open perspective article published in the Journal of the American Medical Informatics Association, Dr. Jingquan Li, an Associate Professor at Texas A&M University, provides an indepth analysis and discussion on the inherent risks in securing personal health information in health social networking sites (HSNS).

In his opinion piece, Li makes the case for the intrinsic risks associated with some HSNS, addressing the gaps and implications of using HSNS. He outlines the top privacy issues with HSNS as:

  1. The site may maintain a vast repository of users’ profiles and keep it permanently.
  2. The content produced by users may be revealed to both intended and unintended audiences.
  3. The accumulated health data can be misused and/or exploited for various non-medical uses. Some HSNS are commercial companies that have a business model based on harvesting health data for business and proprietary purposes.
  4. The scale of the security risk. While encrypted transmission will improve confidentiality, and authentication and access control will reduce non-authorized access, one ‘hack’ into the site, or one error by a site operator, or one misuse by the many other users of the site may compromise the digital profiles of numerous users.

According to Li, research suggests that users of social networking sites often lack enough information to “make privacy-sensitive decisions.”  And even when social networking site users are presented with sufficient data, they are “likely to trade-off long-term privacy for short-term benefits.” He lays out four recommendations for protecting privacy of health data:

Privacy awareness Sharing the minimum amount of person-specific data to accomplish the intended purpose. When in doubt, err on the side of providing less data
Privacy by education Privacy-awareness education; user-friendly way of setting privacy; use and protection of personally identifiable information (PII) policy; advance notice of any material changes to the privacy policy
Privacy by design Building data protection and privacy by design into the platform; sharing anonymized data within and beyond the community
Privacy by regulation Ensuring consent to non-medical uses before users’ data are used; banning unauthorized re-identification of anonymized data; prohibiting inappropriate uses of health data

Read the full opinion piece here.