Part one of a two-part series (Access part two):Facebook, the global phenomenon in Web-based social media, rolled out a massive overhaul of its privacy protection policies and technology this week—and in so doing may have drawn up a playbook for healthcare as well, industry experts say.
The Facebook privacy upgrade gives its 350 million worldwide users increased control over who has access to some of, but not all, the information on their personal pages. These new, so-called “granular” controls—specifically those embedded in the site's “publisher” function, which enables a user to post new material to his or her Facebook pages—reach down to the level of discrete data elements. The new controls, for example, allow a user to restrict who gets to see each newly posted photo or typed comment.
At the same time, in making the massive switch to the new privacy scheme, Facebook developers also added mandatory settings that, for certain data elements, including a user's name, gender and current city, eliminated previous controls and now require disclosure, according to a review of the changes by the not-for-profit Electronic Frontier Foundation, or EFF.
Other elements, such as a user's “friends” list, can be restricted from such global access, but the new system forces the user to hunt down inconveniently located commands to do so, according to the foundation's review. The EFF and other privacy advocates say, in terms of privacy protections, the net effect of the Facebook changes is, at best, a mixed bag.
And yet, even though the changes may represent to them only half a loaf, these privacy experts, plus a physician informaticist and an information technology company executive contacted for this story, say Facebook has set the bar for privacy protection policies and technologies that very likely also will be deployed in the healthcare industry. That's because healthcare has its own set of consumer and legal demands for installing granular-level patient consents on personal health-record systems, electronic health-record systems and on regional and statewide health information exchanges.
The new Facebook standards, these healthcare experts say, reflect a growing, cross-industry cultural norm toward more individualized control of electronic personal information that likely will be upheld by healthcare IT policies and systems. The Facebook revisions, they say, also demonstrate to the healthcare industry that personalized controls can be deployed on a massive scale.
“Every single Facebook user in the entire world has to redo their privacy settings,” said Pam Dixon, founder of the World Privacy Forum, a not-for-profit privacy advocacy group based in San Diego. “That's a big deal. This is a proof of concept that we can in fact have granular control over sensitive data. This gives me great hope that we can tackle the issue of sensitive control of information in healthcare.”
William Bria
|
William Bria is a pulmonologist and chief medical information officer for the Shriners Hospitals for Children system based in Tampa, Fla. Bria also serves as president of the Association of Medical Directors of Information Systems, a professional association for physicians in medical informatics.
“The idea of granularity, it will be like everything else,” Bria said, “Those who are reasonable; they won't want to make it too complicated, but when it is highly sensitive information, they're going to want to have a switch there.”
“A tidal wave” of patients is coming," Bria said, and “not just teens, but 50- or 60-year-olds, who will say, ‘Yeah, I want to put my stuff online,' but they will say I want more control. There will be a patient-centric dialog as to who they will allow to turn this information on and off. I think there is going to be a culture shock within the establishment of medical informatics.”
Bria worked more than a decade in academic medicine at the University of Michigan. Some Ph.D.s in medical research “had a very different take than the average Joe” about data access and privacy.
“When you get to blue-collar folks, they have a concern about trust,” Bria said, and so, he predicts, most physicians will back their patients in their call for increased patient control over the sharing of their data. “In the community, the only thing you can be is with your patients. If you're not, you're out of business. If we don't understand that, we're blind in another way.”
Deborah Peel, an Austin, Texas, psychiatrist and the founder of the Patient Privacy Rights Foundation, said her daughter, a Facebook user, “forced me to go on it a couple of weeks ago.” Peel said she was immediately befriended by both her daughters and their friends, and then by some professional colleagues, quickly creating an online potpourri of contacts on her Facebook page.
“Essentially, Facebook is a kind of consent management system,” Peel said. “The controls are pretty awful, but the controls are there so you can control who sees what.”
Peel said she often hears the argument from people working on healthcare IT standards that it is impossible to build a healthcare IT system that accommodates patient consent, but “PHRs are doing it right now. And now Facebook has access controls, too.”
Robert Shelton is co-founder, chairman and CEO of Private Access, Irvine, Calif., a developer of patient-rights management software that helps patients control access to their information, but also enables them to release their information on their request so their data can be used in specific, trusted clinical trials. Shelton said the company's software can control patient data to the level of a single word.
There is an understandable comparison between the new controls on Facebook and the patient-rights controls needed in healthcare, but the task in healthcare is far more complex, Shelton said.
“There is a lot more stuff in healthcare that you have to worry about than what Facebook has to worry about,” Shelton said. “They have a proprietary system and they're setting granular controls on each of the fields, but when you're dealing with healthcare, you're dealing with lots of different systems.
“Facebook does not need to worry about authentication and are the people who they claim they are,” Shelton said. “In the healthcare area, you've got to deal with true identity.”
In addition, Shelton said, “They're not that concerned about auditing, but in healthcare, you are. There are layers of additional complexity that have to be taken into account.”
“But is it a sign post that it can be done?” Shelton asked, rhetorically, about the Facebook controls. “Yeah, it can be done.”
What do you think? Write us with your comments at hitsdaily@modernhealthcare.com. Please include your name, title and hometown.
