Staying HIPAA-compliant Online


Carol Amick: Hello everyone, welcome to our webinar. Thank you for taking your time out of your day to spend some time with us. I’m Carol Amick and I’m the Director of Healthcare Services for CompliancePoint and I’m joined today by Sarah Reckling who is a compliance consultant for us.

Just to give you a little background on both Sarah and I, both of us have worked as compliance officers, our directors, and healthcare providers and so we are coming to this from the position of having to deal with these kinds of situations in the real world. And so what we’re going to be talking about today is the real world and how you stay HIPAA-compliant online with today’s environment.

So today’s agenda is, and we’re going to talk a little bit about CompliancePoint, we’re going to talk a little about the regulatory environment surrounding HIPAA online, we’re going to talk about the risks surrounding the social media and other uses of online, and then we’re going to talk about web trackers, which is kind of a new online risk that we are seeing emerge in the industry in the recent history, and we’re going to talk about what we recommend you do.

We will also be answering questions, so as we go along, feel free to put any questions in the chat. We have a moderator there who will be looking at the questions and we’ll be getting them ready for us to answer at the end.

I do want to start by saying that we will be sending the slide deck to everyone who has signed up to attend the presentation today.

So let me talk a little about CompliancePoint, and I promise to make this fairly short. CompliancePoint is a professional service, and at our core, we help our clients understand, mitigate, and manage risk in the market. We approach this in a customized manner for each client. It’s not a one-size-fits-all. We don’t believe everybody has the same problems and everybody needs the same solutions.

We’ve been doing this since 2004, and we have a lot of areas of expertise, including privacy. We help organizations comply with federal, state, and international regulations related to privacy. We are a PCI assessor firm. We help clients meet the payment card industry requirements. We help clients get ready for ISO, FISMA, FedRAMP, SOCs, all kinds of regulatory environments. And then, of course, in the healthcare environment, we focus a lot on HIPAA and HITRUST, but we also work with meaningful use, helping clients comply with the LIG7 elements of compliance, and basically doing what they can to protect the protected health information entrusted to them.

So now that you know a little bit about CompliancePoint, Sarah’s going to talk to you a little bit about the regulatory background related to the HIPAA regulations.

Sarah Reckling: So there are three main kinds of backgrounds that I’m going to talk about in the statutory world. So HIPAA, so just as a note, the purpose of it was to improve the portability and accountability of health insurance coverage, and the Act introduced a number of measures to ensure the continuity of coverage between jobs.

Those with pre-existing conditions as well was discussed. So there were two parts. The final privacy rule was not published until August 2002, and it stipulates permissible uses and disclosures. It lists the circumstances in which authorization is required and does give individuals rights over their PHI.

So later on a couple years, the security rule was published in 2005, dealing specifically with PHI that was created, collected, used, maintained, or transmitted electronically, which also did include the three sets of safeguards that must be complied with by covered entities, which were administrative, physical, and technical.

And then high tech, it was originally enacted as part of the American Recovery and Reinvestment Act of 2009, and it was to promote the adoption and meaningful use of health information technology. Specifically in sub-title D of the High-Tech Act, addressed the privacy and security concerns associated with electronic transmission of health information.

And in part, though, several provisions strengthened the civil and criminal enforcement of the HIPAA rules. Specifically, is the HIPAA Safe Harbor Bill of 2021. Strictly speaking, the new HIPAA Safe Harbor law isn’t actually a HIPAA law, but rather an amendment to the High-Tech Act. It came originally from many healthcare associations calling for a safe harbor that exempted covered entities and business associates from financial penalties and corrective action plans if it could be shown that they had implemented a recognized security framework prior to a data breach or other security-related HIPAA violations.

So what is protected health information, or what we call PHI? So it is really any information in the medical record or designated records that can be used to identify an individual that was created, used, or disclosed in the course of providing a healthcare service such as diagnosis or treatment.

And here below we have a bunch of lists, but I just want to highlight specifically photographs are included in this as well. So are account numbers, IP addresses, and biometric identifiers.

Carol Amick: I’m going to jump in real quick. I remember when HIPAA first came out, we weren’t even sure what an IP address was, but this is going to be key to your online HIPAA compliance is understanding what happens with your IP addresses. We’ll bring that up more as we go along later.

Sarah Reckling: So the Federal Trade Commission Enforcement Health Breach Notification Rule, it was issued in 2009 and the rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. It also states that if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers or AKA patients.

The final rule also specifies the timing method and content of notification and in the case of certain breaches, breaches involving 500 or more people require notice to the media.

Penalties for noncompliance with HIPAA regulations include civil monetary penalties and they can range between $100 to $50,000 per violation. However, I just would like to make a note that it depends on the level of culpability and that is based on a four-tier system is how they make that determination based on the payment amount.

There are also criminal penalties that can be imposed for intentional violations. This is with a, you know, having a specific intent for doing, you know, such a thing and that can lead to fines and potential imprisonment as well. There have been imprisonment sentences that I have seen with that.

And then lastly, there is also potential for civil actions resulting in monetary damages.

Carol Amick: So let’s talk about the specific risks to your social media. The most common mistakes we see for social media are posting information about patients to unauthorized users. So you’re posting information about a patient to the world, to people who shouldn’t have it, et cetera.

Sharing photos or videos and we’re going to give some examples and talk about that specifically, but, you know, posting a picture is, as Sarah pointed out, a picture is a PHI breach. So if you posted a picture of a patient in your facility, you probably, unless you’ve got a release, you’ve probably got a problem. Exposing any of the above while sharing a photo of something else.

So this is really common if there’s an event going on, for example, at your location, you may be taking pictures, you post those on social media, but there’s a patient picture in there that you didn’t blur out or block out. And then thinking that posts are set to private or deleted. And we’re going to give you some real-life examples of that.

But, you know, if you think you’re not sharing it with the world, you might think it might be time to think again. Let’s look at a real-world example of somebody whose protected health information was inappropriately shared on social media.

News story: Gina Graziano feels Northwestern should have had better policies in place. So when your private information is breached, they call you and it’s not you calling them after seeing your medical information on social media. What was your first thought when you saw your private medical information on Twitter and Facebook?

Um, I was humiliated, embarrassed.

Gina Graziano filed a lawsuit against Northwestern Medicine Regional Medical Group, her ex-boyfriend David Worth and his girlfriend Jessica Wagner. And you didn’t know her before this?

I did not know her.

And you didn’t know that your ex-boyfriend was dating her?

No, I did not.

The suit alleges Wagner, a hospital employee, used her credentials to log in and access Graziano’s medical records, charts, and files, then Worth posted about procedures and treatments Graziano received at Northwestern Medicine Kishwaukee Hospital on social media.

That point I know that curiosity really intrigued them enough to know more about me. And my name was searched in a database on two separate dates, March 5th and March 6th.

In this letter from Northwestern Medicine to Graziano, the hospital acknowledges after a thorough investigation, there was inappropriate access to her medical record by an employee on March 5th and 6th of last year.

This police report says Wagner was fired from Northwestern Medicine because of the incident.

My computer is up and I’m away from it.

This is video of Wagner being questioned by Bloomingdale Police. She told the officer someone must have used her computer to access the records after she logged in.

Can you think of any scenario under which somebody else would search for your boyfriend’s ex-girlfriend’s medical history on your computer?

No, and that’s where I’m coming to the point that I searched a thousand times a day.

Carol Amick: I do want to point out one thing that was said during the police interview of this person who’s accused of this crime. I look at thousands of medical records a day. Now while that’s not directly related to our social media discussion here, most caregivers and organizations really shouldn’t be looking at thousands of medical records a day.

So somebody in your staff tells you they’re doing that, that might be something you want to look at just in addition to your social media concerns. But it’s not just this intentional exposure we just saw. That was obviously intentional. This is have your employees done this unintentionally? Posted images from the holiday party that included your patients or residents.

As I told you earlier, I was previously a compliance officer. I was a compliance officer for long-term care and at Children’s Lookout Hospital. Both of those are places where we tried to create a family-like atmosphere. We wanted our patients and our residents to think of this as a happy, cheerful place. So we had parties, we had events, we had Halloween costumes. And you know, marketing is out there taking really cool pictures. And did any of those get posted with the picture of a patient in it? Or there’s always this case, and I’m sure a lot of you have seen this before, talked about a high-profile case in the media without naming names.

Man vs. train 6 Instagram post. A lot of you may remember this. This was a case that came up several years ago. A man, I don’t know if he even jumped or fell in front of a train in New York City subway. This is a picture of the emergency room OR after they went into crisis mode to save this man’s life. Because the media had been all over the story, as you can imagine, it’s rush hour in New York, the leg regulators felt like this was pretty easy to put this all together. I don’t think there was action taken against the hospital where it occurred, but the nurse who posted this did lose her job. So there was a consequence to this.

Have they responded to a Facebook post? This is very common. This will be short and sad. We lost my dad last night to a cardiac event. First responders heroically tried to save him, but sadly he passed after being transported to the hospital. We miss him a lot and are beyond devastated.

The comment, well-meaning, well-intentioned, we got a heart, everything good about it. Sorry, we were not able to save him. Whoever posted that has just confessed that this man, who’s by the way in the rest of the post was identified by name, as a patient at their facility or in their ambulance.

It’s probably a HIPAA violation. You cannot confirm that this was your patient without permission.

And then there’s this. We talked a little bit about, I think, assuming things are private. I’m going to let you watch this video and then I’ll talk about it.

Social Media Video: Ashley here, I just wanted to send you a personal message because I just don’t think words can express how much I appreciate your support and you defending me. I’m actually sitting with my patient right now. We’re having lunch and we’re under the Ravenel Bridge. And I just want you to know that I see everything and I just want you to know how much I appreciate it. I don’t think I’ll ever be able to express it. You don’t owe me anything and yet you’re here defending me. So I just want you to know. Oh, a bug just jumped on me. I just want you to know how much I appreciate it. I hope you’re having a great day. Say hi.

Carol Amick: So you can see the document here on the right. It says, to whom it may concern attached to the video sent to me by Ashley Jacobs, who is supposedly a licensed nurse in South Carolina. The video shows her with a young patient who she identifies. I believe this violates the HIPAA policy. It does. I mean, she sent this and in the video, I’m pretty sure the patient’s face was not blacked out as it is here. I think that was done by the media when this would be in public.

But this is definitely a HIPAA violation. I’m sure this Ashley Jacobs, who I understand is a social media star, and thought this was going to be private. This was a private thank you to a supporter. It was a cheerful good, you know, thank you. But it’s a HIPAA violation. That supporter had no need to see that patient or know who that patient was. She did, I believe, lose her license.

Sarah Reckling: So in terms of also social media, there’s this uprising more blogging, you know, and we see bloggers saying, you know, I took the patient’s name out. It should be okay, right? Unfortunately though, protecting, you know, a person’s identity, even when you take out the name, can be identifiable.

There was a study of medical blogs that found individual patients who were described in 42% of 271 samples that were covered. And of those samples, 17% were found to include enough evidence for patients to identify themselves, their providers, and three even included, you know, we bring this up again, recognizable photographs of the patients.

Now it can be, you know, hard to try to, you know, take out the patient’s name and all these other different, you know, identifiers, but it does really need to be done. As the study shows, you know, even without the name, they’re very recognizable.

Have your employees done this?

So the HHS Office for Civil Rights reached an agreement with a healthcare provider in New Jersey, you may have heard of this, that disclosed patient information in response to negative online reviews. We are seeing much more of an uptick with this. In this example, a New Jersey psychiatric practice had to pay $30,000 for a response of an online review.

And we saw similar things happening. A nurse in Texas Children’s Hospital was fined for violating HIPAA. You know, we have a dental practice that paid $10,000 to settle social media disclosures.

But as a note here, you know, my background is also, you know, doing compliance for a big healthcare organization, but my background is also in legal. And I will say, you know, if nurses or students, you know, violate HIPAA, there are times where exams or boards in which they are sitting, they will be required to disclose that fact if they were fired or had violated HIPAA.

Another reminder as well that I have participated is that there can be licensing loss and concerns. If you violated HIPAA, I know I have dealt with situations where RNs lost their license for HIPAA related and they couldn’t, you know, find a job because they violated it and this organization may have been functioning with Medicare, Medicaid, and that is just a rule that they have. So something to keep in mind as well as moving forward.

Another uptick that we are seeing is the rise of what I’ve dubbed TikTok doctors, you know, from a quote from the New York Times. This doctor said she made social media videos because, quote, she loved teaching and wanted to explain cosmetic surgery to people outside of the medical field. And we’re seeing a lot of TikTok doctors, you know, actual licensed MDs who are, you know, talking about their procedures. However, unfortunately, you know, they’re either providing videos that have patients in the background or they’re, you know, mentioning patient names, mentioning those identifiers, which is, you know, a very big HIPAA violation. In this case, what happened as a result is the State Medical Board of Ohio revoked her license permanently as well as gave her a $4,500 fine. So this is something to be aware of as TikTok is really on the rise of usage right now, even with doctors, you know, just to really make sure that, you know, those patient identifiers are not used in TikTok videos.

Carol Amick: And I think that’s a good point. In this case, the doctor did lose her license. But if the Department of Health and Human Services deems that by letting the doctor do TikTok videos from the operating room, you violated HIPAA, the hospital is going to be the one paying the price for that. So you’ve got to pay attention to what’s going on in your hospital. If your doctors are doing TikTok.

So we’re going to talk now about a relatively new risk that’s gaining speed at a record time, web trackers. Earlier this year, the Federal Trade Commission and Health and Human Services sent a joint letter. So they’re both talking about both the HIPAA law and the Federal Trade Commission law we talked about earlier. Telling organizations of the risk of using online tracking technologies on websites or mobile apps.  And the letter specified risk posed by Metapixel, which is Facebook, and Google Analytics, such as authorized disclosures of health conditions, diagnoses, medical treatments, frequency of visits, et cetera.

For a lot of hospitals, it’s already too late. At least 21 hospitals, health systems, technology companies, et cetera, are already facing lawsuits for the past year over sharing confidential data with social media giants. There is a study out there done by an independent group that has listed every healthcare provider that they could find that had social media trackers on their website.

It’s most of them. So your name is out there. If you have a website, your name is probably on this list somewhere for this company. So this is a very widespread issue.

What they are saying is that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosure of PHI. So if you have a user-authenticated web page, so for example, you have a company that you have contracted with who is helping you do scheduling. I log into the scheduling portal. I identify myself, my name, my medical record number, whatever it is you have required. I’m going to schedule my next appointment. That’s fine, but you need a business associate with that vendor because they now have PHI. Even if they’re immediately sharing it back to you and not holding it, it’s still PHI they’ve got.

If you don’t get one with them, then you better have disclosed this in your notice of privacy of practices when they signed it. If they don’t, you’re going to have a problem.

Now this is where it gets interesting. You may need this business associate agreement where there’s no patient relationship, but between the user and the covered entity. This is particularly true for unauthenticated web pages.

So you have a web page and you’ve got, like most healthcare providers out there, our healthcare technology companies even, you’ve got information out there about your product and your tool. So I come in and I click on your blog post about this great new diabetes monitor that you’ve got that’s going to revolutionize my blood sugar. So you now have my IP address, my information, and you have information about a medical condition. This letter that was sent out earlier linked these two things together and said, you now have PHI.

I find this a little difficult and maybe Sarah can jump in and see what she says because the truth is I don’t have diabetes. I was out there looking for my mother, but in the way this letter is written, you now have PHI about me because there’s a medical condition associated with that IP address. It may not be accurate, but you got it. So that’s going to be a challenge.

And then if you have a mobile app that you are offering, they’re subject to the HIPAA regulations and that includes their partner. So if they’re sharing data with someone, you need to know where it’s going kind of downstream. What is your mobile app?

Now keep in mind that does not mean if I come up to you at the hospital and say, my friend is opening this company and they’re going to have this great tool to manage medical records and I want you to share my record with them. You don’t need a BAA in that case because I have asked you to give my medical record to those people and you are required to do so. You might want to tell me, are you sure you want to do this? But if I say yes, you’re going to let me share it and then when it gets posted on the internet, it’s not really your problem.

But if you say we’re using this app and it’s what you should be using, then you are the promoter and you need to be protecting them. You need to have a HIPAA, you’d have a business associate agreement. You need to make sure that you know what they’re doing with the PHA.

Sarah Reckling: Carol, I’m just going to jump in here too with the legal side of this. We have seen lawsuits popping up, especially out of Illinois, talking about these tracking technologies and the violations and where people are selling this information. So just keeping in mind that this is really happening and it is something to really be cognizant of and watch out for.

Carol Amick: So if you do not have a business associate agreement, then you’re going to have to get an authorization for disclosure. Now I know what a lot of people are thinking is we talk about this on our website. This is probably what you’ve got on your website and this is basically the privacy conditions for using a website that are on there. You may even go on, for example, this one goes on, it says following domain. It goes on into a great amount of detail about what Google technologies does with the data, et cetera, et cetera.

Basically what the Department of Health and Human Services wants is your notice of privacy practices. So you’ve got to get, for anybody who’s on your website, looking at medical information for whom you’re getting trackers, you’ve got to get basically agreement before they start looking similar to your notice of privacy practices. And to be honest, I don’t really know how you do that.

But that’s what the requirement really is. If you don’t have a business associate agreement and you’re doing that, then you’ve got to get a notice of privacy practices and this that you have on your website will not meet the standard.

You may also have the notice of privacy practices on your website, you should, but it’s that positive acceptance like you do when they come into your location for the first time and you make sure they’re presented or aware of your notice of privacy practices. You’ve got to have that kind of positive feedback and that having it just posted on the website. I don’t think they’re going to accept that as the positive acceptance. What is your thought, Sarah?

Sarah Reckling: I agree. This will be something that the lawyers have to hash out as they come along. But I couldn’t agree more with you, but it’s a fine line.

Carol Amick: Based on the feedback they’re giving you, they’re not going to accept that.

We are seeing enforcement actions and what we are seeing a lot of is class action lawsuits here. And, you know, HIPAA doesn’t have a right of private action, but state privacy laws a lot of times do.

This FTC rule appears to be letting people do it. They are, you know, there’s a lot of money in a class action lawsuit for the lawyers. They like them.

Now Advocate Aurora has agreed to pay $12.25 million, Cedars-Sinai has a class action lawsuit going on. I saw one against, I believe it was University of Louisville. There are dozens of these being filed. And I would say probably, you know, these are two fairly large healthcare systems here, Cedars-Sinai and Advocate Aurora. My gut feeling is they’re working their way down the list. So, you know, eventually they will get to those of us who might be, you know, small independent operators, small hospitals, small clinics, that you’re kind of at risk under this as Sarah was talking about. We are definitely seeing an increase in enforcement and in private actions.

The FTC is enforcing this under their rules for people. They have said, GoodRx, which is basically a, you know, pharmaceutical, you’ve seen their ads, they’re paying a $1.5 million civil suit for failure to report unauthorized disclosures to Facebook, Google, and other companies.

Better Health, which is an online app for mental health, is facing $7.8 million payment with class action lawsuits followed after that.

So a lot of times, Sarah’s talking about those enforcement actions, they’re followed by the class action lawsuit.

So now that we’ve talked about all this, what is your, what do you do to protect yourself?

You must have written authorization from an individual prior to using or disclosing PHI for marketing, for any sale, or for any user disclosure not specifically committed under HIPPA.

Social media would be considered, in my opinion, marketing. So you’re definitely going to want to cover this in a disclosure.

Sarah, do you want to talk a little about kind of disclosure requirements?

Sarah Reckling: So authorization requirements, you know, we have a list here, but I just want to highlight a couple, you know, where the disclosures to be made, you know, it needs to be a detailed description of the disclosure, you know, the ability to have the right to revoke authorization, the risk of re-disclosure. You know, these are really things that you want to make sure that you are covering.

Carol Amick: And I would say that if all you have on your notice of privacy practices is we can use stuff for marketing, you probably aren’t going deep enough here and you probably want to step back and think about what do we need to do.

The other thing you need to do is train. You need to have, if you don’t already have a social media policy, write one. Write one and distribute it yesterday.

It needs to clearly outline your expectations on what can be done on social media and what, who, if anyone in your organization is allowed to post to social media. It needs to clearly explain about de-identification. It needs to talk about getting authorization.

And the time to get the authorization is not after the social media post has been made. You need to get it before. I’ve seen that a lot. People scrambling around behind their back going, we shared your thing, can you sign this? No, you got to do it in advance.

The Department of Health and Human Services has a social media policies checklist to help you write this. We will be sending this out, so you will have this link. I would encourage you to really get started on that policy and procedure.

And then you’ve got to train and you’ve got to train everyone. Not just a lot of times what I see, and I’m not sure what Sarah’s seen, we train the nurses, we train the lab techs, we didn’t train the kitchen staff, we didn’t train the janitorial staff. We might not even train the administrative staff because they don’t actually see patients. So they’re walking through the building and you’re having a Christmas party and they just took a picture and shared it on social media with all the patients at the Christmas party. You’ve got to.

Sarah Reckling: I can’t agree enough. Not only just having onboarding training, but really truly having annual training. I can’t tell you enough in my experience how many times people forgot that there is a policy and because people are frequently posting on social media and just forgetting a picture of a picture can show personal protected health information. So always truly cannot even stress that enough is to keep training and retraining because it’s not redundant. It is very helpful.

Carol Amick: And pay attention to what’s coming out in social media. Make sure everybody understands it’s all forms of social media. I actually had somebody tell me one time, well, they told us about Facebook and Instagram and training, but they didn’t say we couldn’t use Twitter or X. You know, don’t assume they’re making that jump. You said you can’t use A and B. I’m going to use C. So be sure you cover all social media and as new things come out, send that refresher out. By the way, I know you’re really enjoying TikTok. Remember we can’t post patient information on TikTok.

Sarah Reckling: So just some food for thought while we’re on the subject is, you know, even though we are kind of tempted to, you know, what if we just make a social media policy to restrict it completely?

Well, there’s some thought to that is, you know, social media isn’t all bad. There can be good things. You know, it does boost brand awareness. You can really communicate with the community, you know, give out news about activities, promotions, fundraising, you know, even serving as an avenue for patient resources and even education.

You know, there was a study done that 57 percent of consumers said that a hospital’s, you know, social media presence would strongly influence their choice and where they would go for services. So we are seeing that social media is such a, you know, helpful resource. But you know, as Carol was mentioning in the slide prior, you know, making sure you have a policy and keeping up to date on what new social media platforms are emerging.

I know Instagram has like a Twitter equivalent now, so really making sure that you’re staying on top of that because it is constantly changing and evolving.

Carol Amick: And you have to monitor. After you’ve trained, you’ve got to monitor. You’ve got to monitor your social media accounts to make sure you know what’s posted. If you all have private social media groups, for example, the fourth-floor nurses have a social media group where they trade shifts, they plan outings, you know, whatever, make sure they’re not posting, OK, Mrs. Smith wouldn’t take her medicine. And so we’ve got, you know, that no-no PHI in there.

Periodically search for social media that might have your organization in it. So if I’m one of your employees and I’ve tagged your location, do a search, see what pops up.

I used to have 200 nursing homes. I literally had a schedule where I went into their social media site. Every so often and checked what they were posting and also did a search for what else might be posted. And then control who can respond to posting and what can be posted and make sure that you’ve trained the people who are responding.

This is, as you can tell, a real social media post. I was at, in March 2023, and I received great care. And the marketing department responded, thank you for sharing your experience. Is it a violation? No, what Sarah thinks is kind of it’s a little iffy, you know, it didn’t say you were really there, but you got to think about how this comes across.

I saw some I was like I saw for some reason something came up recently on my feet about liver transplants. And I saw some responses from a hospital that I was kind of like, yeah, you might not want to go down that road. So be careful.

Make sure you know what is posted and what’s being responded. If you’re the compliance professional, I would recommend you look to see what your marketing department’s doing. And I have a marketing degree before I moved into compliance way back when. And, you know, compliance is not the top of our training class. I’ll just be honest.

Sarah Reckling: I’ll just add to that, Carol’s just even, you know, responding to these comments is borderline, you know, really questioning whether they’re, you know, signifying that, yes, you were a patient here. So it’s a really fine line, but you should really consider, you know, all aspects of responses as well and kind of what that response says. You know, does it verify that the patient was at the facility? You know, that is something to think about.

Carol Amick: And I want to jump back to a subject Sarah talked about earlier, the doctors are caregivers responding to negative feedback. I know it’s very tempting and I know that there are egos involved when you see and you know, for example, that you did surgery on a patient and they had complications because they didn’t do what they were supposed to do post-treatment. Now they’re blaming you. But fingers off the keyboard. That’s really all you can do is fingers off the keyboard because responding is probably not going to change their response, their opinion. And it’s certainly liable to get you in trouble as Sarah showed you with some of those fines.

Okay, now comes the fun one. Audit your websites and apps. So this is the new online tracking thing we were talking about. Identify what tracking is performed and who the data is shared with.

Now you need to audit your website because you may have trackers that have been out there for 10 years that you don’t know about. I mean, we had a company that we just helped do this and they thought they had Google and they thought they had Facebook and they also turned out to have Yahoo and something. We couldn’t even figure out what it was. But you know, there’s things out there that you put on there 10 years ago that you haven’t taken off unless you’ve maybe done a complete redesign in the last few years.

So identify what’s tracking and what data is being shared. Determine if you have a compliant BAA with any vendors. Now I’m going to be positive here. If you are using the Google tracker and if you’re using, if you’ve got Facebook trackers, you do not have a BAA. They will not sign one.

Google will sign one for other services. They do. So you may have a lot of your applications, for example, your stuff stored in Google Cloud. They’ll sign a business associate agreement for that. They’re not going to sign one of these trackers.

I think it was Google that said it’s OK because as soon as they get it, they de-identify the data. That’s what they’re going to tell you. We’re not signing a BAA because we’re de-identifying the data. I think Sarah would agree with me that the way the law is written, if you give them the data identified, you have shared data with somebody you didn’t have a business associate agreement with.

Once you figure out who this is, you’ve got to perform a breach risk assessment. You’ve got to figure out exactly what’s going on and what you’ve shared and what you’re up against.

And I didn’t put the fourth bullet on here. I probably should have determined what you want to do going forward. Do you want to just turn these trackers off? Because it’s just going to be a challenge.

Thank you so much for your time today. As you can see, here’s the contact information for both Sarah and I. We’re now going to answer any questions, but if something comes up later, feel free to email either one of us.

We do have a couple of questions. We also have a comment. I believe you’ve asked us for a study on who the providers were using tracking technologies. I don’t have that accessible right now, but I will reach back out to you with that information.

So the first question is, if a family member or a patient posts photos that include their family and possibly other patients, do I need to force them to take it down? My initial reaction is no, but I’m going to let Sarah jump in and see what she says.

Sarah Reckling: My initial reaction is no, but also think about that patient that was in the background, perhaps in the picture, they didn’t agree to being posted on social media, right? They didn’t agree to this. They didn’t sign anything. So I mean, it could be a fine line there.

I realize the intent there is very positive and happy, but also keeping in mind that perhaps that patient may not want to be posted on social media, doesn’t like social media. And also, if there’s kind of a connecting point between the photo and perhaps the hospital where they are, that kind of just can confirm that that patient was at that hospital. So again, these are kind of great questions of that fine line of how closely do we need to be monitoring and whether this is okay or not. And this instance, it could be a coin flip.

So I don’t know if you have more to add on that, Carol. I know I’m a little torn, but I could see it going both ways.

Carol Amick: Yeah, my head initially said that if nobody was working for the facility, there’s not a lot you can do. I mean, you can ask if somebody raises a concern, but you may not even know, to be honest, because unless they tag your facility, when you do a search, you’re not going to find it. So it is, you know, I would not spend a lot of time searching Facebook or Twitter or somebody’s looking for instances like that, certainly.

We also have a question about web trackers. If we turned them off, do we really have to figure out whose data might have been shared before I did that?

And I think, unfortunately, yes, you basically are going to have to do a breach assessment. Unless you had met all the requirements, you had a BAA with all the vendors, or you had gotten a notice of privacy practices acceptance, you’ve had a breach. And I would strongly encourage you to go ahead and figure out what you’ve got.

And as we all know from past experiences with enforcement, a lot of times it’s easier to confess up front than to hope you don’t get caught because the fines are bigger if you appear not to have been cooperative. So I would recommend you go ahead and do the breach risk assessment.

Now, you also are looking at the fact that you probably didn’t share things like social security numbers or even driver’s license numbers yourself. So I wouldn’t necessarily think that you automatically have to go straight to, I’m going to credit monitor for everyone, but you would want to let them know their data have been shared.

Sarah Reckling: Carol, I’m just going to jump in for a moment and just as a reminder for those penalties that I went over and how there’s a tier system, if you know this happened and you’re not really doing some due diligence there, you do jump up tiers with penalties if you get caught because there’s an intentional factor there. So just keep that in the back of the mind, like Carol said, just be upfront.

Carol Amick: So the website, somebody said my website proactively requires that you accept or reject cookies. Wouldn’t that indicate that the user is aware of the tracking risk?

Certainly it would indicate that the user is aware of a tracking risk. But if you read the HHS guidance, that’s not going to get you to get out of jail free card, so to speak. That’s basically just more back to kind of the data privacy side of this. And one of the things about the website that we didn’t really cover is, you know, pointed out that Google, that statement about Google trackers and all that. There are two sides to this privacy part on the website. There’s the electronic privacy hip you know, for the website and then there’s the HIPPA risk. So that cookie side is covering you to some extent on some of those electronic requirements, maybe state laws, et cetera. And the GDPR has some very strict laws on that, but it’s not covering you on the PHI side of the business. So you would still need to do something else.

And I don’t believe we have any other questions. So I think I’ve covered everything else. But as we said earlier, you’ve got our email addresses and we would certainly be glad to respond to anything you have in mind. We will also be sending out the recording with the slides to everyone who is registered. And we certainly thank you for spending your time with us this afternoon.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.