Organizations Voice Concerns Over HIPAA Updates

In December 2022, the Department of Health and Human Services issued a bulletin to healthcare organizations indicating that the use of website trackers on unauthenticated websites was creating Protected Health Information (PHI) and a potential risk of HIPAA violations. Many professional organizations and providers felt that this was a potential expansion of the definition of PHI.

Legislative Action

In September 2023, Sen Bill Cassidy, R-LA., the senior Republican on the Senate Health, Education, Labor and Pensions Committee issued a request for information seeking input on a wide scope of health data privacy and security issues. Cassidy is one of four physicians serving in the Senate. The request from Cassidy sought feedback on the need for general HIPAA updates, and concerns about biometric data, genetic information, location data, the sharing of health data, and more.

Organizations including the American Hospital Association (AHA), the Healthcare Information and Management Systems Society (HIMSS), and the Network Advertising Initiative (NAI) responded to the request, weighing in on the use of online tracking technology and other significant HIPAA concerns.

The American Hospital Association

The AHA, which includes nearly 5,000 member hospitals, health systems, and other healthcare organizations, more than 270,000 affiliated physicians, 2 million nurses, and other caregivers, along with 43,000 healthcare leaders, was critical of the new online tracker rules.

In its response to Cassidy’s request, the AHA wrote, “As a result of the OCR rule, hospitals and health systems can no longer rely on a broad array of third-party technologies — from Google Analytics to YouTube or other video applications — that help them provide their communities with reliable health care information. Not only does this OCR rule violate HIPAA and its implementing regulations, but it inflicts meaningful harm on patients and public health. Congress should urge OCR to withdraw the rule immediately.”

Healthcare Information and Management Systems Society

In its response, HIMSS called for more consistency in what organizations must follow HIPAA regulations. The organization stated, “How HIPAA is interpreted, enforced, and intersects with other privacy laws has created significant layers of complexity in compliance and enforcement. Given the current technology landscape, and the emerging roles of entities that handle personal health information that falls outside the scope of HIPAA privacy and security requirements need to be broader and more encompassing. The explosion of health apps and other direct-to-consumer health technologies, such as fitness trackers, lead to an increase in both the amount of health data collected from consumers and the incentive for companies to use or disclose that sensitive data for marketing and other purposes. Actors who access PHI but operate outside of HIPAA’s purview should be required by applicable federal laws to protect personal health information, notify impacted parties in a timely manner when a breach occurs, and take appropriate action to mitigate the impact of the breach consistent with the manner HIPAA-covered entities are required.”

In the response, HIMSS also made arguments for:

• All identifiable patient information; biometric, genetic, location, and financial data should have the same protections as those afforded for other forms of PHI.
• Using opt-out mechanisms for patients who choose for their data not to be included in electronic exchange or for use in data sets. Opt-out should be applicable to all HIPAA-covered entities and non-HIPAA-covered entities that access protected patient information.
• A national privacy law that creates a baseline for privacy protections and breach notifications for both HIPAA-covered entities and non-HIPAA-covered actors.

Network Advertising Initiative

The NAI touched on several issues in its response, including the benefits it believes come from data-driven health advertising, saying “Data-driven health advertising is an extremely valuable tool that helps connect consumers and HCPs with medical treatments, medications, or information they genuinely need or want, as well as coupons and discounts for medications. Data-driven health advertising helps consumers by connecting them with health information that is more relevant to them, therefore helping to improve health equity for individuals with limited access to health information and treatment.”

NAI also argued against overly broad definitions of health information, giving browsing for multivitamins, and buying running shoes as examples of data it thinks shouldn’t qualify. The initiative stated, “With respect to the scope and dual goals of HIPAA–to improve the portability of health records and increase the number of Americans with health insurance–we strongly discourage Congress from attempting to expand it to include consumers’ health-related information collected from sources other than HIPAA-covered entities. The public policy interests in protecting patient healthcare information reflected by HIPAA do not align with the interests in protecting consumer information collected in other contexts, which –while still important – should be separately regulated from patient data under HIPAA.”

While it is possible that these efforts will result in changes to the HHS interpretation of the risks related to PHI on unauthenticated websites, as of right now the HHS guidance has not changed meaning that the use of website trackers could result in regulatory action.  

CompliancePoint has the services and staff to guide your organization through all aspects of HIPAA compliance. Contact us at connect@complinacepoint.com to learn more about how we can help.