The Department of Health and Human Services Office for Civil Rights recently issued updated comments regarding HIPAA-compliant patient communication. Patient communication and protection of health information have been significant areas of attention in the past two years. The most recent comments focus on a major concern – patient interaction with practice websites, social media, and mobile apps.

Website / Social Media / Mobile Apps Issues

The recent OCR comments mean that you need to review the use of online tracking technologies on your website. This also applies to social media and mobile apps to access your website or practice.
Tracking technologies typically involve the use of scripts or code (like cookies and web beacons) that gather information about users as they interact with the website or mobile app. For mobile apps, it specifically includes the use of tracking codes that often capture user information, including the device ID. While commonly used in marketing systems, in a rather unprecedented decision HHS/OCR has taken the position that all individually identifiable health information (IIHI) will be considered personal health information (PHI) even if the individual accessing the website does not have an existing relationship with the doctor and even if the IIHI does not include specific information regarding past, current or future health care services. In other words, HHS is now considering that HIPAA privacy and security policies apply if an individual, whether your patient or not, accesses your website and tracking technologies collect almost any information about them, even something as simple as the geographic location of the individual. While such tracking actions are not illegal, invoking HIPAA oversight means the transmission of data between your website and the patient now must comply with all HIPAA security standards – most importantly meaning a secured (encrypted) transmission.
The new ruling addresses differences between “Authenticated and Unauthenticated Pages”.

Authenticated pages are those that require username/password access – the perfect example being a patient portal – but would apply to any area on your website that requires unique login credentials. All authenticated pages are subject to the new rule.

Unauthenticated pages are those that would provide general information without user login – examples being pages that provide medical information or direction to a provider. This could include a page where information regarding dry eyes or glaucoma are discussed as the tracking technology will provide information regarding an individual’s access of that information. It also directly applies to online scheduling and registration portals even when user login credentials are not required. Remember the regulation applies to patients you have never seen, so scheduling portals used by new patients fall under the required HIPAA security standards.

This ruling is a departure from prior definitions of PHI. Several other guidelines are noted in the ruling.

  • Information to patients describing or authorizing the use of tracking technologies in a website’s or mobile app’s privacy policy, notice, or terms and conditions of use is insufficient for meeting HIPAA obligations. Transmission and storage of data must still be protected.
  • Marketing uses of PHI (as defined by HIPAA) collected through tracking technologies must be authorized in accordance with HIPAA (or fall within an exception). Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization for marketing purposes.
  • De-identification of PHI by a tracking technology vendor prior to saving it does not change the vendor’s status as a business associate.
  • Unless an exception applies, only the minimum amount of PHI necessary to achieve an intended purpose (which must be permitted under the Privacy Rule) may be disclosed to tracking technology vendors.
  • When performing a HIPAA security risk assessment, the use of tracking technologies must be evaluated and the Regulated Entity should ensure that appropriate safeguards are in place to address security risks from tracking technologies. NOTE: For PCS clients, this requirement will be added to the risk assessment process and we will notify you of actions you may need to take.
  • The disclosure of PHI to tracking technology vendors without a BAA in place may constitute a breach under HIPAA.

Recommended Actions

This can all get very technical and may require some investigation on your part. Despite that hassle, there is a stated focus on this issue with one non-compliant tracking violation already settled for $18 million. The time and effort are highly advised.

  • Investigate and document the use of tracking technologies on your website and any social medial platform. This will likely require consultation with your IT consultants, website developers, and marketing consultants. You will ultimately need to determine if the tracking technologies fall under the new HIPAA standards.
  • Specifically, determine if tracking technologies are used to collect information that is used for marketing purposes which would require unique patient authorization.
  • Tracking technology use will need to be addressed in your security risk assessment and management plan. PCS will be assisting clients with this process and will be sending out information in the next thirty days.
  • Obtain patient authorization for the use of tracking technologies with an opt-out option. PCS will be assisting clients in a system to accomplish this and will be sending out information in the next thirty days.
  • Make sure you have business associate agreements with tracking technology companies. Most of these companies are being used by your website or EHR vendor, not you directly, In that case, make sure you advise your vendors of the need for subcontractor agreements.
  • Despite the direct statement that patient notification of tracking technology use through banners or pop-up notices does not eliminate the requirements under HIPAA security, the use of such patient notifications is advised.

OCR’s expansive view of PHI, as noted in the new regulations, along with a technology level most are unfamiliar with may make it difficult to ascertain specific HIPAA compliance obligations when undertaking any of the above-listed measures.

PCS will continue to monitor for any additional guidance from OCR.
Questions? Contact PCS –