When the government gives you a heads up, it is probably wise to heed the warning. Last week, the Department of Health and Human Services (DHHS) in a joint letter with the Federal Trade Commission (FTC) sent 130 letters to various hospitals and telehealth providers reminding them of their obligations under HIPAA to ensure that no protected health information (PHI) is improperly tracked on their patient-facing technology platforms such as websites and mobile apps.
Recall that last December, the Office of Civil Rights (OCR) published a bulletin about the use of tracking technologies used on websites, mobile apps, and other tech devices by covered entities and business associates. OCR takes the position that tracking technologies which scrape or otherwise gather even statistical or other data points may constitute PHI and thus their improper collection and use are a violation of HIPAA and will take enforcement action for such violations.
The recent DHHS and FTC letter sites as examples Meta/Facebook pixel and Google Analytics as types of tracking technology which may be subjecting health care providers to this type of improper data collection. Google Analytics is a tool used by many third-party vendors. If you are providing telehealth, you should ensure that your vendor agreement clearly outlines the use of data which is collected and used by not only the third-party vendor, but also its own subcontractors and other downstream service providers, to ensure that the vendor is compliant with HIPAA, and specifically this tracking technology provision. Even if you are not subject to HIPAA, a business that collects personal health information is still subject to general data privacy laws under the FTC Act and the FTC Health Breach Notification Rule.
HIPAA compliance is more important than ever with the proliferation of cyberattacks and other big data tracking tools. While most healthcare providers farm out their data hosting to third parties (which is still better than in-house hosting), those same providers are still the owners of their patients' PHI and are obligated to conduct reasonable due diligence to ensure that the third parties they use are also HIPAA compliant—not only for the data storage (at rest) but also the platform and interaction on which patient users connect with them such as through telehealth apps (in transit). Many newer and non-healthcare specific companies are unaware of their nuanced HIPAA obligations and the simple business associate agreement is no longer sufficient. Although business associates are still equally liable under HIPAA, the PHI ultimately belongs to the healthcare provider and thus, negligent contracting or other data handling will be the providers’ responsibility.
If you are unsure whether your third-party vendor agreement properly outlines a vendor’s obligations to ensure HIPAA compliance, I would be happy to provide guidance and help ensure your healthcare business is compliant.
The information in this article is for informational purposes. It is not legal advice. You should contact a licensed attorney before taking any actions or refraining from any actions based on the information provided here.