Tangible Steps for Tackling the December 2022 HIPAA Bulletin
In case you didn’t hear, back in December, The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a new guidance bulletin regarding the use of online tracking technologies by covered entities (health plan, health care provider or health care clearinghouse) and business associates under HIPAA.
The guidance states some regulated entities could potentially be sharing sensitive information with online tracking technology vendors and such sharing could be unauthorized disclosures of PHI with such vendors.
Here are some steps you can take.
What are online tracking technologies?
Tracking technologies are often pieces of code on websites or apps that monitor users behavior as they interact with the website or app. This information is then collected and analyzed by the website owner and/or third parties to draw insights from user behaviors.
What’s considered PHI?
Per the guidance bulletin, PHI would include “individually identifiable health information” (IIHI), such as an individual’s medical record number, home address, email address, or appointment dates, as well as an individual’s IP address or geolocation, medical device ID, or any unique online or mobile identifying code.
What’s covered under the new guidance bulletin?
- User-authenticated webpages (i.e., when user login is necessary before the user can access the webpage): A covered entity must configure any user-authenticated webpages (i.e. those that utilize user logins) that include tracking technologies to allow such technologies to only use and disclose (and secure) PHI in compliance with HIPAA.
- Unauthenticated webpages (i.e., publicly-available websites that do not require a user login to access the webpage): Tracking on these webpages is generally not regulated by HIPAA. In some cases, tracking technologies on such unauthenticated webpages may have access to user PHI and may disclose such data to outside vendors, thus triggering the HIPAA Rules.
- Mobile apps: Information typed in by a user, as well as device level data (location, device ID or advertising ID) collected by a covered entity must comply with HIPAA for any PHI the mobile app uses or discloses. HIPAA rules do not apply to data that users voluntarily enter into “mobile apps that are not developed by or on behalf of regulated entities.”
Additional Compliance Reminders
- All tracking technology vendors must sign a Business Associate Agreement (BAA) with the covered entity and have applicable permission to a disclosure of PHI.
- Cookie-consent banners do not constitute a valid HIPAA authorization to a vendor when PHI is being collected, disclosed, used, or stored with the vendor.
- It is insufficient for a technology vendor to agree to remove PHI from the information it receives or de-identify PHI before the vendor saves the information.
How to Achieve Marketing Success While Remaining HIPAA Compliant
As you and your partners work to drive targeted service line volume, you’ll want to re-think your digital tagging, tracking, and optimization strategies as well as processes surrounding audience modeling from patient data.
Based on the recent litigation and emerging knowledge, we suggest a two-fold approach to protect patients–and yourselves. Many new companies and technologies are emerging, offering to replace or provide additional layers of protection within common analytics platforms like Google Analytics. As you evaluate what is right for you and your institution, we suggest two best practices.
Step 1: Create a method to ensure that you are not passing PII to Partners
For example, as it stands today Google’s definition of what is considered PII does not align with the new HIPAA bulletin. Without creating a layer of protection to remove person-centric details such as IP address, account IDs, birthdates, zip codes and medical record numbers, those could be inadvertently passed to Google through your data layer. This does not mean you need to remove your tracking technologies, nor does it mean you can’t collect information on web activity at the individual level. What it does mean is that you need a disruptor to ensure you have a user ID that is anonymized, and that you are blocking the submission of any of these elements being sent back to Google within your data layer. Make sure your marketing partner is able to help you do this through Google Tag Manager (or other mechanism) and that you review this together regularly.
Step 2: Control what you protect, share, and deidentify–without losing the power of individual behavior in your data
Measuring individual behavior is important for marketers to understand and to use to drive the most powerful insights, targeting and optimizations. Creating a mechanism to review and share data that your team needs, and your partners need, to make the most powerful decisions–while protecting user privacy–is critical in deriving the most value out of your consumer data strategy.
Adopting the right data masking and encryption techniques will allow your internal teams, your marketing and agency partners, and your targeting partners access to the information they need to derive the most value from your marketing, patient, research, CRM and other data sources while offering the protection you need to ensure patient privacy is central to your decisions.
What are some other ways to plan ahead?
Shorter opt-in windows, greater autonomy and individual privacy control are among the many reasons that health systems are investing in CRM systems that support an opt-in first model.
Many systems are now weighing the cost of CRM investment against the risk of a privacy violation and utilizing CRMs as part of their overall mitigation strategy. This patient-centric approach allows for more visibility for patients in what types of health-related information they prefer to receive from provider systems, while offering providers and systems more control and visibility into patient-level targeting strategies.
One key benefit to consider when evaluating systems is integration with digital marketing platforms, visibility into online engagement, and real-time integration of opt-out signals for digital marketing across social channels. CRMs can create segmentation between communication-driven digital outreach that is not considered ‘marketing’, such as communication about products and services covered by a patient’s insurance. CRMs can also serve an important function in creating targeted audience outreach based on health behaviors that can serve as an ETL (Extract, Transfer, Load) solution to build campaign targeting in a secure method that ensures patient data is protected appropriately.
The Lewis Team is available to audit current practices and formulate recommendations for improvements, as well as implement best practices to ensure your patients and your institution remain in compliance with federal guidelines.
*Disclaimer: We are marketers, not lawyers. The information communicated here is meant to provide general guidance. Every healthcare company is unique, requiring tailored data decisions and mechanisms for compliance.
