Earlier this week, our Fox associate Odia Kagan spoke on HIMSS TV concerning the dangers related to what could also be a “blind spot” in your knowledge privateness compliance efforts: using knowledge trackers (akin to cookies, monitoring pixels, session replay scripts) on firm web sites or apps. This blind spot is especially perilous when the info being tracked is affected person medical info or different private knowledge topic to knowledge privateness legal guidelines. Maybe the HIPAA regulators have been listening.

Yesterday, the U.S. Division of Well being and Human Companies (HHS) Workplace for Civil Rights (OCR) printed a Bulletin warning HIPAA lined entities and enterprise associates about using monitoring applied sciences which will gather protected well being info (PHI) in violation of HIPAA. The Bulletin is a complete description of how and when affected person knowledge trackers current HIPAA compliance hurdles. A number of good take-aways::

1. Ensure you have a enterprise affiliate settlement (BAA) in place with any firm (together with an information monitoring firm) that may entry and use protected well being info
2. Even trackers on unauthenticated webpages (these not requiring consumer log-in) could gather PHI. As per OCR: “Monitoring applied sciences on a regulated entity’s unauthenticated webpage that addresses particular signs or well being circumstances, akin to being pregnant or miscarriage, or that allows people to seek for medical doctors or schedule appointments with out getting into credentials could have entry to PHI in sure circumstances. For instance, monitoring applied sciences may gather a person’s e mail deal with and/or IP deal with when the person visits a regulated entity’s webpage to seek for obtainable appointments with a well being care supplier. On this instance, the regulated entity is disclosing PHI to the monitoring expertise vendor, and thus the HIPAA Guidelines apply.”
3. It’s not adequate to have the monitoring expertise take away or de-identify the PHI it collects: “[i]t is inadequate for a monitoring expertise vendor to conform to take away PHI from the data it receives or de-identify the PHI earlier than the seller saves the data. Any disclosure of PHI to the seller with out people’ authorizations requires the seller to have a signed BAA in place and requires that there’s an relevant Privateness Rule permission for disclosure.”
4. Do not forget that even an IP deal with alone could be PHI when collected on a lined entity or enterprise web site or app: “Regulated entities disclose quite a lot of info to monitoring expertise distributors by means of monitoring applied sciences positioned on a regulated entity’s web site or cellular app, together with individually identifiable well being info (IIHI) that the person gives after they use regulated entities’ web sites or cellular apps. This info may embrace a person’s medical file quantity, house or e mail deal with, or dates of appointments, in addition to a person’s IP deal with or geographic location, medical system IDs, or any distinctive figuring out code. All such IIHI collected on a regulated entity’s web site or cellular app usually is PHI, even when the person doesn’t have an present relationship with the regulated entity and even when the IIHI, akin to IP deal with or geographic location, doesn’t embrace particular therapy or billing info like dates and sorts of well being care providers.”