Study Says Website Security Gap in HIPAA Rules is Being Exploited

A recent study into privacy violations on the web has been released indicating that the majority of searches for health information by third party companies could potentially result in them obtaining Protected Health Information.

The studyPrivacy Implications of Health Information Seeking on the Web – was devised and conducted by Timothy Libert, a Pennsylvania doctoral student. He claims that the third parties using this method to obtain data included data brokerages and online advertising companies. The problem is widespread with 91% of health-related websites initiating HTTP requests to third parties and these requests, in 70% of cases, contained information that included symptoms and treatments of diseases.

The data that is recorded on consumers is extensive, and the study cites Facebook, Google and ComScore which were found to have collected data on approximately a third of users, with Google topping the table having collected data on 78% of its users.

The problem with this invasion of privacy is the information could potentially be used to discriminate against individuals with specific health conditions, or that information may be misused. Since the companies obtaining this information are not subject to the rules laid down in HIPAA, the data collected may not be subjected to the same data security standards to keep it secure.

Libert conducted the study on 80,000 health-related web pages and discovered that nine out of ten websites leaked personal health information. This personal health information is not covered under HIPAA Rules as Libert pointed out, “HIPAA rules are not designed to police third party business practices or data brokers’ business practices.”

While the healthcare industry has adapted well and embraced new mobile and internet technology, there are concerns that data security controls are not sufficient to prevent healthcare data from being leaked or stolen. Federal and state laws exist to protect data in certain circumstances, but there are holes and they can potentially be exploited. If these security holes are not plugged, the privacy of consumers will continue to be invaded.

In the words of Libert, “Clearly there is a need for discussion with respect to legislation, policies, and oversight to address health privacy in the age of the internet.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.