Yesterday (December 1, 2022), The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a bulletin about unauthorized HIPAA disclosures through the use of online tracking technologies.
We discussed this very issue in a recent blog post. We looked at a number of high-profile cases where patient data was collected through an online interaction with a patient, and shared with a third-party for advertising purposes without explicit consent from that patient. Sure, patients were clicking “accept” on a multi-page privacy policy that states their data can be used for marketing purposes, but when’s the last time anyone read a full privacy policy before accepting? Does that really constitute an authorized HIPAA disclosure?
At the time we wrote that blog, it seemed to us (and many others) that these types of disclosures could not truly be authorized. But there was not any guidance from HHS specific to the use of online tracking technology, so it was hard to say. Until now.
You can read the full bulletin here, or check out our key takeaways below:
- The bulletin clarifies a key term that may have provided a loophole in the past: individually identifiable health information (IIHI). IIHI includes things like individual’s medical record number, home or email address, dates of appointments, IP address and medical device IDs. The bulletin clarifies that all IIHI is generally PHI, even if the individual does not have an existing relationship with the vendor.
- While it has never been permissible to disclose PHI without authorization, given the proliferation of online tracking technologies, HHS has now explicitly stated that PHI collected through online tracking technology cannot be used for marketing purposes without individuals’ HIPAA-compliant authorization.
- The bulletin goes on to provide details on what constitutes (and for that matter, what does NOT constitute) individuals’ HIPAA-compliant authorization through the use of online tracking technologies:
- HIPAA-compliant authorizations from patients are required before any PHI is disclosed to a vendor.
- PHI disclosures are not permitted based solely on a vendor informing patients through a privacy policy or terms and conditions that they plan to disclose their data.
- It is not sufficient for the technology to remove or de-identify PHI before saving it.
- Asking patients to accept cookies or other tracking technology does not constitute a valid HIPAA authorization.
- And finally, the OCR will investigate suspected breaches and complaints, and failure to comply may result in a civil money penalty for hospitals and practices as well as required mass media disclosures in qualifying cases.
You’ll notice that the language here is generally focused on vendors who provide online tracking technology. But as you know, a breach from one of your vendors is a breach for your hospital or practice. If you’re not sure how your technology vendors may be using you patient data, now is the time to ask. This new guidance gives you an outline to approach your existing vendors, and better understand how they may be using your patient data.
We’ll wrap up this blog the same way we wrapped up the last one – with a comment on intent. It’s always great to see HHS provide clear guidance on issues that have ambiguity. But the way that some online tracking technologies were sharing PHI never passed the “sniff test,” and we didn’t need HHS guidance to know that. This is an important reminder that how the vendors you partner with handle patient data has a direct impact on you. And if something doesn’t feel right, it probably isn’t.