Earlier this week, our Fox associate Odia Kagan spoke on HIMSS TV in regards to the dangers related to what could also be a “blind spot” in your information privateness compliance efforts: using information trackers (equivalent to cookies, monitoring pixels, session replay scripts) on firm web sites or apps. This blind spot is especially perilous when the information being tracked is affected person medical data or different private information topic to information privateness legal guidelines. Maybe the HIPAA regulators have been listening.
Yesterday, the U.S. Division of Well being and Human Providers (HHS) Workplace for Civil Rights (OCR) revealed a Bulletin warning HIPAA lined entities and enterprise associates about using monitoring applied sciences that will accumulate protected well being data (PHI) in violation of HIPAA. The Bulletin is a complete description of how and when affected person information trackers current HIPAA compliance hurdles. A number of good take-aways::
- Ensure you have a enterprise affiliate settlement (BAA) in place with any firm (together with an information monitoring firm) that may entry and use protected well being data
- Even trackers on unauthenticated webpages (these not requiring person log-in) could accumulate PHI. As per OCR: “Monitoring applied sciences on a regulated entity’s unauthenticated webpage that addresses particular signs or well being circumstances, equivalent to being pregnant or miscarriage, or that allows people to seek for docs or schedule appointments with out getting into credentials could have entry to PHI in sure circumstances. For instance, monitoring applied sciences may accumulate a person’s e mail tackle and/or IP tackle when the person visits a regulated entity’s webpage to seek for out there appointments with a well being care supplier. On this instance, the regulated entity is disclosing PHI to the monitoring know-how vendor, and thus the HIPAA Guidelines apply.”
- It’s not ok to have the monitoring know-how take away or de-identify the PHI it collects: “[i]t is inadequate for a monitoring know-how vendor to comply with take away PHI from the knowledge it receives or de-identify the PHI earlier than the seller saves the knowledge. Any disclosure of PHI to the seller with out people’ authorizations requires the seller to have a signed BAA in place and requires that there’s an relevant Privateness Rule permission for disclosure.”
- Keep in mind that even an IP tackle alone may be PHI when collected on a lined entity or enterprise web site or app: “Regulated entities disclose a wide range of data to monitoring know-how distributors by means of monitoring applied sciences positioned on a regulated entity’s web site or cell app, together with individually identifiable well being data (IIHI) that the person gives after they use regulated entities’ web sites or cell apps. This data may embody a person’s medical report quantity, house or e mail tackle, or dates of appointments, in addition to a person’s IP tackle or geographic location, medical machine IDs, or any distinctive figuring out code. All such IIHI collected on a regulated entity’s web site or cell app typically is PHI, even when the person doesn’t have an present relationship with the regulated entity and even when the IIHI, equivalent to IP tackle or geographic location, doesn’t embody particular remedy or billing data like dates and sorts of well being care providers.”