On December 1, 2022, the Workplace for Civil Rights (OCR) of the U.S. Division of Well being and Human Companies (HHS) issued a Bulletin to focus on the obligations of HIPAA-covered entities and enterprise associates when utilizing “on-line monitoring applied sciences,” or what OCR describes as “script or code on an internet site or cell app used to collect details about customers as they work together with the web site or cell app,” which is then analyzed by web site homeowners, app operators or third events to create person profiles or garner insights into customers’ on-line actions.
These may embrace cookies, internet beacons, pixels, session replay software program and fingerprinting scripts that observe and profile customers’ internet actions, whether or not on internet portals behind an authentication wall or on unauthenticated webpages or cell apps, and, in some instances, disclose the collected person information to know-how distributors for advertising functions with out HIPAA-compliant authorization. Because the OCR acknowledged: “Regulated entities usually are not permitted to make use of monitoring applied sciences in a way that may end in impermissible disclosures of protected well being info (PHI) to monitoring know-how distributors or some other violations of the HIPAA Guidelines.”
Past the well being privateness points for suppliers and distributors, this Bulletin brings to thoughts a number of matters we mentioned in an October put up on Amazon’s current acquisitions (together with the potential strategic worth of One Medical, “a human-centered and technology-powered major care group). Underneath 45 CFR 160.103, a “lined entity” is a well being plan, a well being care supplier, or a well being care clearinghouse. Thus, as a major care group, One Medical falls below the class of a HIPAA-covered entity and is inside this data-valuable surroundings the place the OCR issued the Bulletin on PHI disclosed to monitoring know-how distributors.
Overview of the OCR Bulletin
PHI. The OCR reiterates all through the Bulletin that HIPAA applies when lined entities accumulate person information that embrace PHI through monitoring applied sciences and in addition if such information is then shared with know-how distributors. However what precisely is PHI? Because the Bulletin explains, PHI would come with “individually identifiable well being info” (IIHI), equivalent to a person’s medical document quantity, residence or e mail tackle, or appointment dates, in addition to a person’s IP tackle or geolocation, medical system ID, or any distinctive on-line or cell figuring out code. The Bulletin stresses that “IIHI collected on a regulated entity’s web site or cell app typically is PHI,” even when the person doesn’t have an current relationship with the lined entity and even when the IIHI doesn’t embrace particular remedy or billing info (e.g., appointment dates or sort of healthcare companies).
Person-Authenticated Webpages. Affected person portals and telehealth platforms typically accumulate and have entry to PHI, together with analysis and remedy info, billing info and different delicate information. Due to this fact, the Bulletin states {that a} lined entity should configure any user-authenticated webpages that embrace monitoring applied sciences to permit such applied sciences to solely use and disclose (and safe) PHI in compliance with HIPAA. The OCR additionally reminds lined entities that monitoring know-how distributors are enterprise associates IF they create, obtain, keep, or transmit PHI on behalf of a regulated entity “for a lined operate (e.g., well being care operations) or present sure companies to or for a lined entity (or one other enterprise affiliate) that contain the disclosure of PHI.” For instance, this will come into play within the case of authenticated portals the place customers log in to a medical supplier’s web site or app. The Bulletin states that if a person makes a medical appointment by the web site of a lined well being clinic and that web site makes use of third occasion monitoring applied sciences (which could robotically switch PHI and different shopper information to an outdoor vendor), then the monitoring know-how vendor is a enterprise affiliate and a enterprise affiliate settlement (BAA) is required.
Unauthenticated Webpages. The OCR takes a barely totally different stance on the gathering of shopper information on unauthenticated webpages, that are publicly accessible pages that permit anybody to entry the content material and usually solely comprise fundamental details about a lined entity; because of this, and in keeping with the Bulletin, monitoring on such webpages is mostly not regulated below HIPAA. Nonetheless, the OCR states that in some instances, monitoring applied sciences on such unauthenticated webpages could have entry to person PHI and will disclose such information to outdoors distributors, thus triggering the HIPAA Guidelines. For instance, the Bulletin mentions that if a login web page of a lined entity’s affected person portal requires a person to enter registration info equivalent to one’s identify and/or e mail tackle, such webpage then comprises PHI and turns into topic to HIPAA. Alternatively, the OCR factors to webpages that permit customers to seek for medical doctors, view appointment availability or make appointments, or view details about particular signs or situations (e.g., being pregnant) with out first logging in and warn that such webpages may doubtlessly accumulate a person’s e mail tackle and/or IP tackle, thereby doubtlessly disclosing PHI to the monitoring know-how vendor, and thus triggering the HIPAA Guidelines.
Cell Monitoring. Cell monitoring usually happens when monitoring applied sciences and cell software program growth kits (SDKs) are developed by an outdoor marketer and embedded in a cell app. The Bulletin states that info typed in by a person, in addition to device-level information (e.g., community location, geolocation, system ID, promoting ID, and so forth.) collected by a lined entity should adjust to HIPAA for any PHI the cell app makes use of or discloses. In a nod to the Supreme Court docket’s Dobbs resolution, the Bulletin states that HIPAA applies to “any PHI collected by a lined well being clinic by the clinic’s cell app utilized by sufferers to trace health-related variables related to being pregnant….” Nonetheless, the Bulletin clarifies that the HIPAA Guidelines don’t shield information that customers voluntarily enter into “cell apps which are not developed or supplied by or on behalf of regulated entities, no matter the place the data got here from.” [emphasis added]. This would come with well being info entered into lifestyle- or fitness-related cell apps operated by an entity not regulated by HIPAA. Although, such information assortment would nonetheless be regulated by the FTC and doubtlessly below relevant state privateness legal guidelines, and even perhaps a complete federal privateness regulation, if one ought to ever go Congress.
Compliance Obligations. The Bulletin restates that regulated entities are required to adjust to the HIPAA Guidelines when utilizing monitoring applied sciences and reminds lined entities to make sure that “all disclosures of PHI to monitoring know-how distributors are particularly permitted by the Privateness Rule and that, except an exception applies, solely the minimal needed PHI to realize the supposed objective is disclosed.” It additionally prompt that regulated entities “ought to consider its relationship with a monitoring know-how vendor to find out whether or not such vendor meets the definition of a enterprise affiliate and be sure that the disclosures made to such vendor are permitted by the Privateness Rule.” The OCR closes the Bulletin with a number of compliance reminders:
- The HIPAA Privateness Rule doesn’t allow disclosures of PHI to a monitoring know-how vendor based mostly solely on a regulated entity informing people of this risk or incidence in its privateness coverage or privateness discover (“Regulated entities should be sure that all monitoring know-how distributors have signed a BAA and that there’s an relevant permission previous to a disclosure of PHI”).
- The usage of cookie consent banners doesn’t represent a sound HIPAA authorization to a vendor when PHI is being collected, disclosed, used, or saved with the seller.
- It’s inadequate for a know-how vendor to comply with take away PHI from the data it receives or de-identify PHI earlier than the seller saves the data (“Any disclosure of PHI to the seller with out people’ authorizations requires the seller to have a signed BAA in place and requires that there’s an relevant Privateness Rule permission for disclosure”).
Along with the Bulletin, know-how and well being care firms which are gathering well being information must also be sure that they’re complying with state privateness and shopper safety legal guidelines. HIPAA has usually been described as the ground for well being care privateness compliance and states could select to go and implement extra onerous privateness and shopper safety legal guidelines.
