S1 E1: Web Trackers and HIPAA Compliance


Jordan Eisner: Welcome to Compliance Pointers. Our goal with this podcast is to deliver both in-depth and actionable information pertaining to information security, data privacy, and other regulatory compliance news, trends, and challenges. So, look forward to more content after today.

In this episode, we’ll be discussing web trackers and HIPAA compliance. The HHS and FTC issued a bulletin warning that the use of web trackers on websites and apps could result in HIPAA violations. In addition to this episode, we’ve got a blog post on our website titled, Does My Website Need to be HIPAA Compliant, that I’d encourage all of our listeners to check out.

So who am I? My name is Jordan Eisner. I’m the VP of Sales at Compliance Point. In a couple of months, I will have been with the organization for 10 years. In that time, I’ve worked with hundreds of organizations on a variety of regulatory and risk management initiatives.

You might be wondering who is CompliancePoint. CompliancePoint is a mid-size consulting firm that specializes in helping organizations scale and reduce risk by maturing their data security and privacy operations.

So with me today, I’ve got Carol Amick. She’s Compliance Point’s healthcare practice lead and the main HIPAA guru, as I like to call her. Carol, thank you for joining. So, Carol, I’m going to let you introduce yourself a little bit, talk about your background. I think it’s worth noting for our listeners that you spent time on both the consulting and the client side. Aside from that, why should someone listening consider you an expert on these matters?

Carol Amick: Well, I’m not sure expert is the perfect term, but I will say that I have an extensive background with HIPAA. I’m dating myself a little, but I’ve been working with it since the regulations first came out. And I have worked as a privacy officer for health care providers, post-acute, and for acute care providers. And I’ve also, as Jordan said, done some consulting when I was with one of the big four before

I came over to CompliancePoint, helping people comply with these regulations. And finally, unfortunately, I have had to respond to investigations from the Department of Health and Human Services regarding HIPAA violations. So, I’ve got a lot of exposure and experience working in this area. There you go.

Jordan Eisner: And you were only a teenager when HIPAA came out. You just were an early starter. So we’re going to do some Q&A on the topic. So I think first and foremost, right, can you just give us the nuts and bolts? What was in the letter from the HHS and FTC? What does it mean? Give us your general overview.

Carol Amick: So the letter was sent out to healthcare providers and it said that the Department of Health and Human Services, who traditionally has regulated HIPAA, and the Federal Trade Commission, which is not an organization that a lot of us working in healthcare have spent a lot of time thinking about, or had concerns about the fact that protected health information, our private information, was being shared with these organizations via web trackers.

So you would have on your website a web tracker, and you would share that information with Google or Facebook or Meta and they would basically help target your advertising and what you told your patients, people who are on your website. The letter brought up some real concerns about the fact that this was protected health information. I think for most of us, this is not something we had traditionally considered protected health information.

To me, the big expansion almost was that the letter pointed out that if I go on a website you now have my IP address, and that is identifiable information. And I start looking up information, say, on cancer treatments. The letter says you now have protected health information about me to go with that IP address because cancer is a medical condition. In my mind and people I’ve talked to, it’s kind of a leap. I mean, I could be on that website looking up information related to a friend, a family member, not necessarily myself. But they have made this into protected health information that you needed to treat as such and disclose what you were going to do with before you started tracking it on those web trackers. And that’s where the gap is happening is identifying it early on.

Jordan Eisner: And it’s not a certain, this question might not even be a right question for this, but just trying to understand it, right, as a general listener. It’s not a combination of data on the site, right? It’s just that you were there and it’s that IP address and they see these organizations, these entities that somebody from this IP address was looking at this specific topic.

Carol Amick: It is kind of that combination to become protected health information. Now the FTC rule is a little different, but for the HIPAA regulation, it does become, if you were just going to website and they didn’t do anything, it might not be, but anything you do on that website that relates to, potentially relates to a medical condition, kind of brings it into that protected information.

Now I will say there is another condition on this. If I go on the website and I have to authenticate. So let’s say your website lets me make an appointment for doctor’s visits and I have to authenticate, that definitely is protected health information. And so if there’s a tracker in that part of the website where I’m in there going, okay, I need an appointment next Tuesday at two, then you definitely have PHI and they aren’t even having to make the leap. And they also have, of course, more than just the IP address.

Jordan Eisner: That example you just gave is authenticate a website where you have a login. You’ve probably given some sort of consent at that point previously. What we’re talking about today is more so unauthenticated visits and traffic, right?

Carol Amick: So on the authenticated website, if you have covered this in your notice of privacy practices when you first started working with the patient or if you have a business associate agreement with somebody who’s helping you run that authenticated website. So if you have a company that helps you with this doctor scheduling and you have a business associate agreement, you’re probably fine there. You’ve got it kind of all tracked and together. We’ll talk later, I think, about business associates. So you may have done that in advance. So on the authenticated websites, I would think a lot more times you’re going to be covered by that notice of privacy practices that you gave that patient or their responsible party the first time you started treating them. So you’re probably much safer there than you are on the unauthenticated, which is, you know, as I said, I was on a recent hospital website looking up something related to my mother’s medical condition using this guidance from HHS. It’s now my PHI, even though it’s not a condition I have.

Jordan Eisner: Yeah, that’s an interesting one, too, right? Caretakers or people viewing on behalf of their family members and how that’s going to be viewed in terms of, you know, the sensitive data and is the PHI and what organizations then need to do with that. Any insider thoughts on that?

Carol Amick: They’re saying it is PHI. And I know it’s happening. I mean, I can tell you, I’m sure all of us have had this happen. You go and you research something online. You read the article that the local medical company put out about some fancy new technology or something. And then you log into Facebook and you get an advertisement 30 seconds later for something related to that. So they’re saying that’s PHI. Now, as I said, in my case, for example, I was looking at my mother and I don’t think it’s my PHI, but I didn’t get to make that definition. I do think there’ll probably be some lawsuits challenging it, but I’m not a lawyer and all those qualifications. So I can’t tell you where this might eventually end. But for right now, it is considered protected health information.

Jordan Eisner: It looks like I’m jumping ahead a little bit here, maybe. But it looks like some organizations might already be in lawsuits for this. We mentioned Meta. We mentioned Google.

Carol Amick: There are, in addition to the government regulatory actions, and some of this is where the FTC comes in because there appears to be more private right of action under those rules than there is under HIPAA rules. So those of you who are familiar with HIPAA know there’s not really a private right of action, but this also crosses into the FTC. And also, depending on what state you’re in, there’s probably some state regulations. And so we are definitely seeing lawsuits, very large settlement lawsuits. App and Aurora, I think, put over a million dollars recently on their lawsuit. There’s a lot of lawsuits out there. There is a company that actually went out and did a study of websites and found for the top 90 healthcare providers. I think they’re probably looking at it by size. In the United States, almost all of them have website trackers. You can pretty much be guaranteed that there’s a lawyer probably someplace working on a class action lawsuit. For example, I saw where somebody filed a lawsuit against the University of Louisville and was attempting to bring that to class action. So in addition to HHS, you’re definitely also looking at some class action lawsuits. And of course, there’s what I call the six o’clock news risk when this starts hitting the media. What have you been doing with my health information? Who have you been sharing it with? As a compliance officer, I know what happens next. My phone starts ringing because people want to know what we’ve done with your data. So you’re the compliance officer you’re going to start getting phone calls and questions about this.

Jordan Eisner: So not only is it bad press, it’s more work.

Carol Amick: Yeah, it’s more work.

Jordan Eisner: Probably should have gone into a little bit earlier, but we were talking about unauthenticated versus authenticated websites. Most people might know, most people might not know what that means. Authenticated, I think you gave a good example, usually requires some sort of login. Unauthenticated is just any viewer. There’s no login required. For instance, for our listeners, if you go to compliancepoint.com, that’s an unauthenticated website. We don’t require you to log in or anything. A lot of websites and these healthcare providers might have that sort of website that’s tracking your IP address and other information.

Carol Amick: So most, a lot of you may be familiar, for example, Epic, which is one of the largest electronic medical records companies in the world, has an app and website thing called MyChart. You may be familiar with that. And that is one where you would be authenticated because you want to go in and look up your medical condition or information on the test they ran on your kid the other day or something. You just log in. So you have a login. So that will be authenticated. A lot of medical providers and business associates who provide services to them have those authentications too. But then you also generally would have on the front door of your website, the unauthenticated stuff where you could just go cruising around and looking at what kind of services you provide and stuff without having to identify yourself.

Jordan Eisner: Good overview. Epic is definitely some of the neatest offices I’ve ever seen in the middle of nowhere Wisconsin, farmland when driving past it.

So what does this mean for healthcare organizations? I guess specifically covered entities, right? Ones providing care that have these websites.

Carol Amick: So if you are a covered entity, I’m just going to say, and you’ve got a website, it probably has website trackers on it. And there are benefits to this too. You want to know. That’s why CompliancePoint has website trackers. We want to know what people want to know. And you want to know what people want to know. The challenge is that if you are sharing it with some of your major people on this tracking field, which will be Google and Meta Facebook, they are not signing a business associate agreement with you. They are taking that data from you as identifiable and working with it. And some of it’s for feeding you information back. Some of it’s they’re doing stuff with it. I think one of them, and I want to say it’s Google, but I may be wrong, has said, well, it’s okay because when we get the information, we then de-identified. If you’re a covered entity, you cannot share that data with them, identify, even if they are going to de-identified unless you have that business associate agreement and they are not signing that.

Now some of you I know have business associate agreement with Google, for example, if you use their cloud service provider, you have a business associate agreement with them. Keep in mind, like a lot of big companies, they have different divisions and areas. So your business associate agreement you’ve got for your cloud service provider is not going to cover this web tracking technology.

Jordan Eisner: Okay, that’s a good point. And I’m thinking too just in terms of trying to communicate with a Meta or a Google, right, and talking about realistically getting the BAA in place. I mean, let’s not say it’s impossible, but that would be very challenging. So what are your options?

Carol Amick: We have seen some people starting to use more locally developed and controlled website trackers, so they’re not going to be using the Googles, the Yahoos, the Facebooks because the options are not good with that. Now if you could figure out a way to de-identify it before it leaves your control and goes to theirs, then you can keep using them. I’m not a, well, my background is not that strong in technology to tell you if that’s even feasible, but it would definitely be difficult. Probably very expensive and time-consuming.

So what I’m hearing from our clients is they’re looking at what other technologies can be used besides some of the biggies that will sign agreements with us.

Jordan Eisner: Okay. What about mobile applications?

Carol Amick: So mobile applications are interesting. One of the other initiatives of the Department of Health and Human Services is to give all of us access to our medical records. And so I might have a friend who’s developed a great mobile app that I’m going to use for all my medical record information, I’m going to track all my results. And so I can come to any healthcare provider and say, I want you to give me all my information and we’re going to, and once you send it to Bubba Gump’s healthcare application and you might say to them, are you sure about this? And you’re like, yeah, yeah, I want it to go there. And that’s fine. You, the provider don’t have any obligation to make sure that app is in good shape. The patient is the one who’s directing it. You’re just giving it to them. It’s done. But if you have one, for example, we talked about MyChart a minute ago, they have an app. If you have developed your own kind of in-house app that you’re steering people too, then it does need to comply with the HIPAA regulations. And generally, most of you would be using a business associate to help you do that, a vendor. That you do need a business associate agreement with that vendor who’s helping you run that app unless you’re completely running an in-house. So if you’ve got a vendor and there are a lot of them out there who are helping you with this kind of thing, helping you market it and they’ve branded it for you, you want to be sure you’ve got an agreement that makes sure they’re doing the right thing with the protected health information.

Jordan Eisner: Most applications, right, I think I could be wrong on this, are going to have some sort of authentication layer too, right? Or what about even just downloading the app? Could you then maybe be consenting to the sharing of the data inside? Is it a little bit more protected than I guess an unauthenticated site?

Carol Amick: Yeah. I mean, most of these applications you’re going to be up to have to opt into it. What you don’t know, what you need to be, if you’re directing your clients and your patients towards an app, you need to make sure that they, if they’re using web tracking with what’s going on inside that app, that they are not sharing that data outside of the environment without the appropriate controls. So we’re talking about your downstream concern. You know, you can’t just get me to sign, if I’m your partner, you can’t just get me to sign a business associate agreement and assume I’m doing the right thing. You want to ask some questions.

Jordan Eisner: I thought BAAs were fail-safe.

Carol Amick: You know, and this is kind of off-topic, but a couple of years ago, some of you may have heard about a big breach related to a collection agency. The collection agency was collecting for some very large lab companies. I would almost bet the lab companies didn’t even know that company had their data. They had an agreement with company X, company X then shared the data with company Y and company Y did not have adequate controls, but who paid the fine? Who did the reporting? Who got the bad publicity? It was the big lab companies. So yeah, you can kind of pass the BAA gives you some protection, but if there’s a breach, you’re going to be the ones dealing with the fallout.

Jordan Eisner: We see that here at CompliancePoint HIPAA, PCI, regulatory compliance everywhere downstream, vendor management, vicarious liability.

Carol Amick: We spend a lot of time helping our vendors, helping our clients prove to cover entities and others that they are protecting that data because people are aware of that. But you do have to keep going downstream. You can’t stop just one downstream. You have to ask some questions.

Jordan Eisner: And I want to come back to that with the business associates, especially given a lot of clients we work on that side and where that relates, but one more on the BAA. If you don’t have a BAA, what should you do?

Carol Amick: Stop sharing the data. That’s step one. Turn it off. Then you’re going to have to do a risk assessment. What have you shared? How much have you shared? And you’re going to have to start looking into the reporting at that.

Jordan Eisner: A risk assessment or a breach?

Carol Amick: A breach risk assessment. So basically you’re going in, you’re saying, okay, what have we shared? Was it PHI under this definition? And what’s next? What are the next steps? I would recommend that you go ahead and look at that and be realistic. This is going to be hard sometimes to figure out too. It’s going to take you a little while to figure out what all you’ve shared. This is not necessarily, I know that certain application was breached and the following 50,500 patients were affected. This is going to take you some time to dig through.

And then there’s even how do you notify? If all you really have is very limited data, you’re probably going to wind up having to do alternative notifications and putting it on your website. And so you probably want to get your lawyer, your legal counsel involved in this pretty early. But I would recommend you do the breach risk assessment and start basing where we are. Obviously the government is looking, obviously private attorneys are looking. This is one of those cases where you want to be ahead and not behind.

Jordan Eisner: So just to double down on that from the healthcare expert, you don’t have a BAA right now and you could be tracking some of this data, IP addresses. You recommend doing a breach risk assessment?

Carol Amick: I recommend a couple of steps. What we’re suggesting to our clients is one, go on your website and go through it with the fine-tooth comb. Make sure you know where all of your trackers are. One of the things we’ve already discovered is there are probably trackers on there that you don’t know about unless you really recently designed it top to bottom.

Jordan Eisner: And not just one page, right? All pages, not just heavily tracked, but a comprehensive.

Carol Amick: Not just the homepage. And then go in there and figure out where it was going and what was being sent and then who was impacted. So it’s going to take you a little while to do all that. The only way out of that would be if before you let anybody on your website, you made them agree to your notice of privacy practices or basically had a confirmation that they had access to it, knew it was available and you were going to share their data with these vendors. And I know of no one who’s ever done that.

Jordan Eisner: I know I said I was going to ask about the business associates next and maybe I’m keeping those listeners waiting, but that’s a pretty big thing to do that, right?If you figure that out, you don’t have the BAA and you do the breach risk assessment and you said it’s not going to take a little while, right? You know, this is going to take some time. You’re talking about engaging internal counsel, maybe even outside counsel. Why should somebody feel they have to do this, right? What sort of enforcement actions, what sort of penalties are organizations facing for this noncompliance? It still seems a little bit, as you said earlier, a leap on some of this and whether or not it’s PHI or a breach.

Carol Amick: So we’re definitely seeing some FTC enforcement. They have definitely good health and better health. I think it is basically good RX, sorry, good RX and better health. They have already fined them considerably for sharing this data. So we are definitely seeing FTC enforcement with the HIPAA rules the way the government figures out your fines, part of it is your level of cooperation. So if you knew or should have known of a breach and you just ignored it and they find out about it, you will probably face, you will, excuse me, you will face more enforcement action than higher fines than if you had said, okay, we had a breach. Once we figured out we weren’t in compliance, we stopped, we went bad, we did all those things. So you’re lessening the risk of what your regulatory enforcement could be once it is found out. And to be honest, if lawyers are filing private action lawsuits, they’re kind of driving the Department of Health and Human Services right to you. They’re showing the Health and Human Services that you are accessible and at risk of this. And I think there were, by the time the letter we talked about, which was sent out earlier this year, went out, there were already 21 hospitals facing class action lawsuits. So they know it’s out there. They wouldn’t have sent the letter if they weren’t planning to enforce it. It’s not, yeah, they’re giving you the warning shot across the bow, so to speak.

Jordan Eisner: So I would say that adds almost a step earlier when you talk about what you should do if you don’t have a VA and discovered that you gave the point, stop what you’re doing, go through your website with a fine-tooth comb, do a breach risk assessment. And then I think it’s important to talk about the importance of documenting all of that, right? Because you just said the fines are going to be worse, right? The enforcement could be worse if you can’t showcase that you did all those and you took those steps. So documentation and being able to show that paper trail is very important. Yeah, you want to show your paper trail of what you’ve done.

Carol Amick: You want to show your paper trail of who you identified was impacted and then how did you contact them. And there are requirements laid out in the breach notification rule for notification of affected individuals. I would say the normal method is US mail, in this case, most of you are going to have to use an alternative method because I would bet that you may not have postal addresses for a lot of these people. So you’re going to have to do media releases and website notifications where you put it on your website. So you’re probably looking at trying to figure out who can you notify the old-fashioned way via US mail and who are you going to have to notify on alternative methods.

Jordan Eisner: Which I’m sure the marketing teams will love. So back to the business associates question. What does it mean for them? All this we’re talking about because we’ve mainly been talking about covered entities here.

Carol Amick: So if you’re a business associate, you signed that agreement and it says you’re going to comply with all of the HIPAA regulations and the HIPAA regulations include related to what you’re doing with protected health information on your website. So if you are a business associate of a covered entity, the hospital, and they get directed to your website to learn about features they’re providing and stuff, and you’re doing website tracking, you’ve signed this agreement. You’ve got to make sure you’re doing basically the exact same thing the covered entity is doing. Do you have a business associate agreement with that? We’re talking about downstream. So if you’ve signed a business associate agreement, remember that your liability is now to comply with all these regulations. You said you were going to do that. I think a lot of people sign these and don’t realize that’s what they’re getting. And the other thing I would look at right now is what does it say about you reporting to your covered entity? I think a lot of times I see people get a business associate agreement and the covered entity has said within 24 hours you’re going to notify us about your breach. Having worked some breaches, within 24 hours most of us are still trying to figure out who’s on first, much less to have any idea of how big the problem is, what we got. So you probably want to start working with your covered entities now and letting them know what you’re doing. I think staying ahead of the curve, letting them know you realize this has come out and you know what’s going on, we’ll build you, trust Goodwill. When I was at a provider, we had a major ransomware with one of our vendors. And the reason they didn’t lose us as a customer was day one, honesty, trust, upfront. So be as upfront as you can with your covered entities, I would advise. So they know, okay, we know we’re aware of the risk and we’re dealing with it because they’re the ones who are going to have to actually report it in most cases to the Department of Health and Human Services. We report it to them and they report it to the Department of Health and Human Services.

Jordan Eisner: The truth will set you free. Okay, so the business associates and the ones in the middle, they could potentially be in breach of their business associate agreement. If consumers are visiting their website and looking at the services, they could potentially have a PHI breach. And then they also have to worry about their downstream vendors too, if they’re sharing some of that tracking.

Carol Amick: Yeah, so what are they doing with the data? You know, where is it going? What happens to it?

Jordan Eisner: So they could be of interest for HHS or FTC. They could be of interest in losing clients into the covered entities.

Carol Amick: So if you’re a business associate and then you have a vendor that you’re using to sign a business associate agreement because it’s downstream, then the regulations just keep going down the food chain, so to speak.

Jordan Eisner: And the liability doesn’t necessarily go with it.

Carol Amick  No.

Jordan Eisner: So in wrapping it all up, right, maybe reiterate some of your points, you know, what steps can businesses, covered entities, business associates alike, right, what can they do to protect themselves?

Carol Amick: I think really at this stage, I would definitely be getting with my marketing department, getting with anybody else and making sure that I start dealing with where your trackers are. I think a lot of people have not taken that first step. You know, we’ve talked to a lot of people that we’ve given advice on, we’re giving them some guidance and helping them with this, but that’s your first step. You’ve got to figure it out. Also make sure you know where all of your websites are. If you are a large covered entity, for example, with several hospitals and clinics, make sure somebody hasn’t set up a website advertising something you didn’t know about. You know, I know people are thinking that would never happen. I have found entire departments people didn’t know about, so I’m firmly committed somebody can set up a website without you knowing about it and running into a lot of marketing departments.

Jordan Eisner: So Carol, thank you. It’s been very insightful information. Really appreciate your time. If somebody listening wanted to get in touch with you, how might they go about that?

Carol Amick: So you are welcome to email me. My email address is camick@compliancepoint.com. You can go on LinkedIn. I get my messages that people send there. And I know Jordan’s going to give you details on how to get in touch with all of us at CompliancePoint. So I’ll let him cover that.

Jordan Eisner: Well, thank you, Carol, and thanks everybody for listening. As mentioned, we’re going to produce content like this on a regular basis. Make sure you subscribe and don’t miss future episodes. And if you are interested in talking with Carol, learning more about CompliancePoint, go to our website. We’ve got contact email addresses on there and back connect at compliancepoint.com is one way you can email that directly or you can reach out to Carol directly. She gave her email address. You can reach out to me directly. At Jeisner@compliancepoint.com. Or you can message us on LinkedIn. Thank you.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.