Facebook admits it discussed sharing user data for medical research project
Facebook was in discussions with major medical institutions about sharing user and patient data for a research project, the social media company admitted on Thursday, after revelations in a news report .
The report, from CNBC, said the proposed plan included using a process to match data for individuals in both sets, which would be anonymized, to research how such information sharing could improve individual patient care.
These discussions, which included the American College of Cardiology (ACC) and Stanford University School of Medicine, were put on hold last month, according to a Facebook spokesperson.
“This work has not progressed past the planning phase, and we have not received, shared, or analyzed anyone’s data,” the spokesperson said in a statement.
The disclosure comes as Facebook’s CEO, Mark Zuckerberg, and his company are under intense scrutiny after the Observer revealed that the personal data of millions of Americans – possibly as many as 87 million, at last count – had been harvested and improperly shared with the political data-mining firm Cambridge Analytica. Zuckerberg is scheduled to testify next week before members of Congress.
Medical institutions are held to a higher privacy standard than Facebook because of laws such as the federal Health Insurance Portability and Accountability Act, or Hipaa, which makes it illegal for health care providers and insurers to share patient data without their permission.
But it is not clear how the proposed research would have complied with this strict health privacy law.
Two people who heard Facebook’s pitch and one person familiar with it told CNBC that the proposed project would mesh data from health systems (such as diagnoses and prescribed medications) with data from Facebook (such as age, friends and likes). The idea would be to match what is known about a patient’s lifestyle with their medical needs to customize care.
The Guardian was not able to confirm these details, but Facebook and ACC said they had been in discussions about a research project involving similar data.
“If they were sharing information that was being linked, it’s not clear how they would have done that under Hipaa,” Jodi Daniel, who helped draft the original Hipaa privacy and enforcement rules, told the Guardian.
Daniel, a partner at the Crowell & Moring law firm, said information could be shared for research but it would be subject to strict processes. Otherwise, data must be de-identified before the health provider could share it with an outside group.
“To truly de-identify data under Hipaa is a high bar and if in fact you know that it can be re-identified, combining it with other information, then it doesn’t meet the de-identification standard,” she said.
Michael Valentine, ACC president, said discussions with Facebook were on hold and the group had not yet shared data because of the health group’s commitment to privacy.
“We approached this research as we would any other scientific, medical, or clinical research – ensuring that the research protocol would be consistent with HIPAA regulations, the HHS Office of Human Research Protections regulations, and relevant Institutional Review Board decisions,” Valentine said in an emailed statement. “These practices are consistent with well-established norms in the scientific and medical community for safely conducting research on de-identified patient data. This commitment to privacy and complete adherence to relevant laws and regulations are why no data have been shared and all discussions are on hold.”
The Stanford University School of Medicine did not immediately respond to a request for comment.
A Facebook spokesperson said the company was exploring this data sharing because of the “general health benefits to having a close-knit circle of family and friends” and the need for more research on the impact of social connection on health.
The spokesperson said: “Last month we decided that we should pause these discussions so we can focus on other important work, including doing a better job of protecting people’s data and being clearer with them about how that data is used in our products and services.”