Recently, the Health and Human Services Department (HHS) came out with guidance regarding the use of online analytics technologies. This guidance will impact a lot of Provider and even some payer websites. This includes hospitals, clinics, medical groups, imaging centers, and more. It gives more insight into how healthcare organizations can better ensure patient data is not inadvertently revealed.
Why Guidance and Not a Rule
This guidance has to with HIPAA which is an existing law and for which many organizations already spend a lot of effort ensuring the privacy of that data. the guidance focuses on where most people might think there is no issue. Many think that Patient data is behind firewalls and logins and not available on a simple .com site. Why should we worry? It turns out that there is risk and we need to ensure we do incorrectly expose the wrong data. Here’s what the HHS have to say about this guidance on their web site.
Tracking technologies are used to collect and analyze information about how users interact with regulated entities’ websites or mobile applications (“apps”). For example, a regulated entity may engage a technology vendor to perform such analysis as part of the regulated entity’s health care operations.5 The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI).6 Some regulated entities may share sensitive information with online tracking technology vendors and such sharing may be unauthorized disclosures of PHI with such vendors.7Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures8 of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.9
What Advice Does HHS give?
Let’s break down the advice around tracking and HIPAA
- This is applicable to online tracking technologies. (web analytics, embedded scripts, etc.)
- HIPAA rules apply when information collected is disclosed to the tracking tools
- Providers are NOT permitted to use tracking technologies that result in PHI disclosures
- This applies to authenticated and unauthenticated scenarios
- For example, gathering PHI during an online appointment schedule
- IP addresses count as PHI
- You need to determine if a tracking vendor requires a BAA
What Do Providers Need To Address
Even simple web sites like your hospital’s main site can collect PHI. Let me walk you through some examples of where you must be very careful about the use of web tracking technologies.
Find a Doctor
When you schedule an appointment you collect PHI in the form of name, address, reason for the appointment, type of doctor you are seeing, etc. If you use a web tracker of any kind as you capture this information and that web tracker captures this PHI in their public, unencrypted cloud, then you have a HIPAA violation.
Class or Interest Forms
Many hospitals provide classes and newsletters but as they capture information to register interest or register for the class, they may tie identifying information to a condition.
Clinical Trial Finder
In the same vein, registering interesting in a specific clinical trial then that interest has a potential to capture PHI if you also use non-HIPAA compliant tools to track these transactions.
The Bottom Line
Providers need to be very careful when using web and social analytics tracking tools on their public facing sites. These sites do capture PHI. All Providers sites already securely capture it in a variety of forms for transfer to their internal systems. Providers just need to ensure that other analytics tools don’t capture that data and deposit it in their public cloud.
I’ll discuss some additional challenges and do’s and don’t around PHI and web analytics next time.