The United States Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) regulate data collection and use in the Healthcare industry.
These laws and their associated regulatory rules bestow many requirements and responsibilities upon entities covered under the law, ranging from disclosures and storage of data through the types of contracts and responsibilities are required for vendor contracts.
In short, these clarified rules are forcing healthcare stakeholders to seek out Business Associate Agreements and adjust marketing technology integrations.
Who do HIPAA regulations apply to?
Covered Entities under the Privacy Rule
The Privacy Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities.
The privacy rule defines disclosure requirements and information about authorization, privacy practice notices (they’re generally necessary and must contain certain things), acknowledgement of notice receipt, and a host of administrative requirements (including privacy policies and procedures, privacy personnel, workforce training and management, mitigation, data safeguards, complaints, retaliation and waiver, and documentation and record retention).
In general, State laws that are contrary to the Privacy Rule are preempted by the federal requirements, which means that the federal requirements will apply.
Protected Health Information
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”
“Individually identifiable health information” is information, including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual,
- That identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birthdate, Social Security Number).The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
What’s a Business Associate Agreement?
A business associate agreement is a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI. It’s required if business associates may have access to PHI during their work.
What integration adjustments do businesses need to make to be HIPAA-compliant?
In 2022, Meta and several US hospitals were sued under two class-action lawsuits for allegedly violating the United States Health Insurance Portability and Accountability Act, otherwise known as HIPAA. This cast a light on the often shadowy exchange of data in the name of targeting and attribution that can occur as users browse the web.
Following this, the United States Health and Human Services Department (HSS) issued a bulletin to remind covered entities and their business associates of their obligations under the law and relevant regulations. The HHS Department stresses in the opening of the document the following in regard to Protected Health Information (PHI):
Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosure. Source.
The bulletin makes clear that the tracking technology it is speaking about basically encompasses all the common martech integration processes, be it pixel, beacon, fingerprinting script, session replay scripts, IP Address, geo-location, or cookies.
All of these technologies may disclose individually identifiable health information (IIHI), and that IIHI is often Protected Health Information under HIPAA and the related privacy rules. The document then proceeds to break down tracking on web pages (in both authentication scenarios) and mobile apps.
HIPAA Compliance for Websites
User Authenticated Scenarios
HHS believes that in user authenticated scenarios, tracking technology often has access to the user’s IP Address, medical record number, email address, dates of appointments or other information. They are not wrong in this belief, as the majority of client side scripting vendors can certainly gain access to any information presented to the user via the use of JavaScript DOM Scraping.
With this being the case, HHS reminds us that the regulated entity must configure any user-authenticated web pages that include tracking technology to only use and disclose Protected Health Information in compliance with the HIPAA Privacy Rule and must ensure that the data that is collected via the website complies with the HIPAA Security Rule.
HSS also reminds covered entities that tracking technology vendors may be considered business associates provided all the requirements are met. Entities subject to HIPAA should consult with their legal teams to ensure their specific use case qualifies, and that the proper disclosures and agreements are in place.
Guest Scenarios
Generally HHS does not consider public facing web pages to contain Protected Health Information, however, specific scenarios exist where tracking technology does have access to information which may be considered PHI, and under those scenarios the HIPAA rules apply.
Scenario 1: Relates to login pages. During the login process, the user may be required to enter login information (such as email addresses or their name). This information is PHI and thus protected by HIPAA rules.
Scenario 2: Information pages related to specific medical conditions (such as pregnancy) that permit the user to search for doctors or set appointments may have access to PHI during this process, as email address or IP Address may be collected. In this scenario, the regulated entity is collecting PHI and disclosing it to the tracking vendor, so HIPAA Rules apply.
Recommendation: If you are subject to HIPAA rules, talk with your website development team to review your use cases and ensure that the HIPAA rules are being adhered to.
Mobile Apps
If the mobile app is owned by a regulated entity, then HIPAA rules apply both to the entity, and any mobile app vendor, tracking technology vendor or any other third party who receives such information (such as device fingerprints, device ID, advertising ID, or network location).
If, however, the mobile app is not owned by a regulated entity, but the user enters health information into it, then HIPAA does not apply. However, even if this is the case, other laws may apply, such as the Federal Trade Commission Act and the FTC’s Health Breach Notification Rule.
What does HIPAA Compliance Look Like?
The notice makes clear that regulated entities are required to comply with the HIPAA rules when using tracking technologies (pretty much any MarTech solution). They have some handy examples of the HIPAA Privacy, Security and Breach notification requirements, which include:
- Ensuring that all transmission of PHI to tracking technology vendors are permitted by the Privacy Rule and that, unless exempted, only the minimum required PHI to achieve the purpose is disclosed.
- Reminding entities that despite declaring tracking tech in their privacy policy or terms of service that the HIPAA Privacy Rule does not permit disclosures of PHI solely on the regulated entity informing users of the disclosure in those locations. The entity must ensure that all vendors have signed a business associate agreement and that there is an applicable permission prior to the disclosure of PHI.
- If there is not an applicable Privacy Rule permission, or the vendor is not an established business associate of the covered entity, then a HIPAA-compliant authorization is required before PHI is disclosed to the vendor. The example makes clear that Consent Banners for items such as cookies do not constitute valid HIPAA authorization.
- The entity must address the use of tracking technology in their Risk Analysis and Risk management processes, as well as comply with the HIPAA Security Rule.
The bulletin also contains examples and things to note regarding breach notifications and things to keep in mind when establishing a business associate agreement. Legal teams would be well served to review the notice, and relevant law sections to ensure compliance needs are being met.
HHS Guidance for De-identifying PHI
The Office of Civil Rights lays out two methods for de-identifying data (which would potentially preclude requiring a BAA). Note, however, that should an organization claim the data is de-identified, they may be required to prove their claims to federal agencies and in court, should they become subject to an investigation.
Expert Determination
In this process, an expert is hired to reduce the likelihood of identifying a particular person to a “very low” standard via the use of advanced statistical methods. The expert would need to document this process, and the organization leveraging this method may be called upon to prove the qualifications of the expert as well as the validity of the de-identification claims in the event of an investigation.
Safe Harbor
Qualifying for Safe Harbor involves removing 18 different types of data identified by HHS as likely to contain Protected Health Information. The removal of this information, however, can dramatically reduce the utility of the data and may not be viable for all use cases.
Recommendation: Depending on the specific use cases, de-identified data may get you enough data utility to be viable. However, we recommend that you give serious consideration to platforms that will sign a business associate agreement, as that reduces the amount of hoops to jump through, will likely have increased data utility, and may carry less potential risk from an enforcement perspective.
What does all this mean for your business?
In all circumstances, covered entities should work with the legal and engineering teams to determine if all the required steps are being taken for their specific use cases. If the requirements aren’t being met, teams should alter their existing processes to include the relevant reviews. Finally, entities should carefully consider vendor onboarding—specifically a vendor’s willingness to sign a BAA—prior to deciding to integrate the MarTech solution into the website or app going forward.
Search Discovery provides compliance solutions in the areas of teaching, tools, and implementation to help companies meet regulatory burdens, but we make no claim that the use of such products will bring a company into compliance. Further, we do not act as attorneys.
