The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) recently issued a warning regarding online tracking technologies. Because they pose risks to patient privacy and security, it is important for compliance pros to understand them and, of course, comply with applicable federal laws. Compliance officers also should partner with their Information Technology (IT) and risk management departments to ensure their organizations protect patient privacy and minimize security risks.
It is good to start by understanding Internet browser tracking. Whenever a person browses the Internet or performs an Internet search, every link clicked, and each website visited is recorded. Websites then place small amounts of this data, known as cookies, on users’ electronic devices to track their browsing activity. They do this to help people more quickly access and search for material they frequently are interested in, as well as to deliver ads they may find useful. However, some people have found ways to use this tracking technology to access those cookies and acquire/share the personal data – including health information – they contain.
To protect patients’ privacy and adhere to federal law, compliance professionals must understand what online patient data is being tracked and used by their organization’s website, social media pages, and payment portals.
GFC Global, a nonprofit program, provides free and easy-to-understand videos on digital tracking. GFC Global focuses on the potential for website hacking and the sale of patient information. You will notice their site asks about sharing your cookies before you can access it! Once acknowledged, you can access their videos.
Heeding the Warning
Within the healthcare space, the OCR enforces HIPAA Security and Breach Notification Rules (HIPAA Rules), and the FTC protects the public from deceptive business practices. In a joint letter the two agencies released earlier this year, they expressed concerns “about the use of online tracking technologies such as Google Analytics and Meta Pixel in violation of HIPAA.” OCR Director Melanie Fontes Rainer noted, “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website.” The OCR is using its resources to address this concern.
Similarly, Samuel Levine, director for the FTC’s Bureau of Consumer Protection, explained, “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue to do everything in our powers to protect consumers’ health information from potential misuse and exploitation.” With the OCR and FTC focusing on these issues, compliance professionals should as well so they can best support their organization and their patients.
Protecting Patient Privacy
Impermissible disclosure of a patient’s personal health information (PHI) violates the HIPAA Privacy Rule and can result in harm to the patient. A year ago, the OCR issued a bulletin to remind HIPAA-covered entities of their obligations under the HIPAA Rules.
HIPAA Rules prohibit regulated entities from using tracking technologies that could result in impermissible disclosures of PHI, including electronic PHI or ePHI. When tracking technologies gather information about users without their knowledge, there is a risk that users’ health information can be misused, sold, or otherwise exploited.
The bulletin provides specific examples of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. It covers tracking on user-authenticated (where the user must log in) and unauthenticated websites, as well as tracking within mobile applications and adhering to HIPAA compliance obligations.
The bulletin emphasizes that HIPAA-regulated entities and their business associates must follow the law. Compliance professionals must ensure that business associates that use tracking technologies complete a business associate agreement and comply with HIPAA Rules. A joint risk audit of your vendors involving compliance and IT would demonstrate such due diligence.
Following OIG (Office of the Inspector General) Guidance
To protect patient PHI and ePHI, the OIG recommends following guidance with regard to online tracking technologies:
- User-authenticated websites, such as patient portals, must use and disclose ePHI in compliance with the HIPAA Privacy Rule (45 CFR part 160 and s45 CFR part 164, subparts A and E) and ensure compliance with the HIPAA Security Rule (45 CFR part 164, subparts A and C).
- Unauthenticated websites – those that do not require logging in – are, in most cases, not regulated by the HIPAA Rules. However, the HIPAA Rules may apply in some instances. For example, if a patient accesses an online portal to schedule an appointment and the tracking technology collects the patient’s date of birth or email address, HIPAA Rules apply.
- Mobile applications offered by a regulated entity to manage appointments or pay for services are considered ePHI and thus regulated by HIPAA Rules. Moreover, compliance professionals should confirm whether these applications collect information such as fingerprints, device IDs, or network locations, which are considered PHI and covered under the HIPAA Rules.
Compliance professionals who work for regulated entities are required to follow HIPAA Rules to protect patient PHI and ePHI when tracking technologies are used or offered by their healthcare organization. It is prudent for compliance officers to collaborate with their IT and risk management departments. Working together, they can ensure that their organization is aware of which websites and applications use tracking technology and determine the best way to mitigate patient privacy and security risks.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal, and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix and Vice President of the company’s self-insurance captive.
Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management
Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.
Get the latest from healthcare compliance experts
Never miss an article by Denise Atwood. Sign up for YouCompli’s weekly email if you have not already.