Web tracking tools that collect or share personally identifiable health information can pose significant implications when it comes to HIPAA privacy and security. Unauthorized tracking can compromise patient confidentiality and privacy, potentially exposing sensitive health data. Today, we are doing a follow up from our previous podcast on web tracking tools and discuss a few recent articles and guidance released by HHS, FTC and OCR.
In this episode:
HIPAA Online Tracking News – Ep 428
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Briefs
[05:54] How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?A lot of information can be disclosed using online technologies, via websites or mobile apps usually. This information is usually referred to as individually identifiable health information (IIHI). But if there is enough IIHI captured by the tracking technology, that information can quickly become PHI. HIPAA is very clear about PHI. If it’s PHI and you’re a regulated entity, you have to have a business associate agreement in place to pass that data on to another entity.
Here’s an excerpt from HHS on this topic:
HIPAA Say What!?!
[09:04]405(d) Tip of the Week
[15:05] As a reminder, cybersecurity is a shared responsibility and should be taken as a priority 365 days a year to put patient care first (not just during CSAM). HHS 405(d) free resources are available year round to help.HIPAA Online Tracking News
[16:55] A few months ago OCR issued guidance about use of online tracking tools like Google Analytics.Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates | HHS.gov
It specifically says in bold:
Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.
We discussed it in an episode shortly after that:
Spitballing Website Tracking – Ep 390 – Help Me With HIPAA
In May, American Hospital Association (AHA) sent a letter to HHS and OCR asking them to back off on this guidance or amend it.
AHA Letter to OCR on HIPAA Privacy Rule, Online Tracking Guidance
We have been discussing it and keeping an eye on it since then. There has been another round of notices to update you about so you, too, can be in the know.
First, in July, OCR and the FTC published an announcement that it had sent over 130 hospital organizations a letter about use of these technologies.
An example of the letter is here: Model Letter: Use of Online Tracking Technologies
In March 2023, the FTC put out an article called Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking.
The two of them basically say we are not backing down.
Fast Forward to Sep 2023
[31:38] Just last week another volley was published by AHA:AHA Responds to Senate RFI on Health Data Privacy
That letter was in response to a totally different RFI from Congress Senate RFI on Health Privacy
In their response to the RFI they ask Congress to act on two things:
The tracking technology rule:
Note: AHA made those last bits bold in their letter.
Also, another item that is totally unrelated to that issue but equally important from a healthcare perspective.
For all the strengths of the existing HIPAA framework, its approach to preemption has proven to be problematic. It creates unnecessary regulatory burdens on hospitals and health systems, forcing them to satisfy a myriad of legal requirements that raise compliance costs and divert limited resources that could be used on patient care. In addition, the existing state and federal patchwork of health information privacy requirements remain a significant barrier to the robust sharing of patient information necessary for coordinated clinical treatment. For instance, the patchwork of differing requirements poses significant challenges for providers’ use of a common electronic health record that is a critical part of the infrastructure necessary for effectively coordinating patient care and maintaining population health.
If Congress were to make any changes to HIPAA, it should address this problem and enact a full preemption provision. HIPAA is more than sufficient to protect patient privacy and, if interpreted correctly, it strikes the appropriate balance between health information privacy and valuable information-sharing. Varying state laws only add costs and create complications for hospitals and health systems. As such, the AHA reiterates its long-standing recommendation that Congress strengthen HIPAA preemption.
HIPAA privacy and security should be considered patient care. I mean it’s our show’s motto, after all. That means that not only do covered entities have to understand that, but they also need to make sure their business associates understand that and follow HIPAA rules. That also means covered entities must evaluate all third parties they work with and what services they are providing for them. Most people probably never think about their website hosting or web development company potentially being a business associate. Technology is changing and with it, services and tools used by businesses are changing… especially when it comes to AI tools.
As technology evolves, there is an intricate relationship between the HIPAA rules and the utilization of tracking technologies. Healthcare organizations must carefully implement and manage web tracking tools, ensuring they comply with HIPAA requirements by anonymizing or encrypting any health-related data and maintaining strict access controls. Failure to do so may result in severe legal and financial consequences for breaches of patient privacy and data security under HIPAA.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
