Health care and health care-adjacent organizations are seeing a steep increase in risk arising from the frequently utilized third-party analytics and advertising services on their websites, mobile applications, patient portals, and other Internet-connected services. Those organizations should pay attention to new regulatory guidance, published settlements with regulators, and an onslaught of class action filings stemming
HIPAA Security Standard
HHS OCR Issues Bulletin on HIPAA Compliance for Tracking Technologies
The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) recently issued a bulletin highlighting the application of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to covered entities and business associates (“Regulated Entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies that collect and analyze information about how internet users interact with websites or mobile applications (“Tracking Technologies”). While the Bulletin emphasizes that Regulated Entities have always been prohibited from impermissible uses and disclosures of protected health information (“PHI”) collected through Tracking Technologies, including disclosing PHI to Tracking Technology vendors without entering into business associate agreements (“BAAs”), OCR has been relatively silent on this issue to date.
To highlight the application of HIPAA to Regulated Entities leveraging Tracking Technologies, the Bulletin provides several examples of how Tracking Technologies may collect and share PHI, including on authenticated and unauthenticated webpages, as well as mobile apps. In particular, the Bulletin describes how websites and mobile apps commonly use Tracking Technologies to collect information from users, including identifiers that are unique to users’ mobile devices. This information can then be used by the owner of a website or app, a related vendor, or a third party to gain insights about users’ online activities and to create a unique profile for each user. These insights and information can be used in beneficial ways to help improve care or the patient experience, but they can also be misused to promote misinformation and for other detrimental purposes.
In a nutshell, OCR’s Bulletin stresses that when an individual uses Regulated Entities’ websites or mobile apps, information such as the individual’s medical record number, home or email address, dates of appointments, IP address, geographic location, or medical device ID may constitute PHI subject to HIPAA and should be held by Regulated Entities accordingly. According to OCR, such information generally is PHI, even if the individual does not have an existing relationship with the Regulated Entity and even if the information does not include specific treatment or billing information like dates and types of health care services. Per OCR, this is because the information connects the individual to the Regulated Entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for careContinue Reading HHS OCR Issues Bulletin on HIPAA Compliance for Tracking Technologies
ONC Updated Electronic Health Information Privacy/Security Guidance
The Office of the National Coordinator for Health Information Technology (ONC) has released a revised Guide to Privacy and Security of Electronic Health Information. The guide is intended to help health care providers – especially those from smaller organizations – address federal health information privacy and security requirements in their practices. The new version…
Stolen Unencrypted Laptops Results in HIPAA Settlements for Two Health Companies
Two more health care companies have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of almost $2 million and agreeing to continued oversight by the HHS Office for Civil Rights (OCR). In both instances, the breaches were self-reported and the settlements resulted…
HHS Releases HIPAA Security Risk Assessment Tool
HHS has developed a Security Risk Assessment (SRA) tool to help providers comply with a Health Insurance Portability and Accountability Act (HIPAA) requirement that covered entities conduct a risk assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguards and to determine where electronic protected health information could be at risk. The SRA tool is…
OIG Concludes OCR Slow to Enforce HIPAA Security Rule and Comply with Cybersecurity Requirements
The OIG has concluded that the HHS Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. In short, the OIG found that OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to…
HHS Proposed Rule on Health Plan Certification of Compliance Requirements
On January 2, 2014, HHS published a proposed rule to promote more consistent testing processes for “controlling health plans” (CHP) to enable these entities to better achieve and demonstrate compliance with HIPAA standards and operating rules. Specifically, the rule would require a CHP to submit documentation demonstrating compliance with HIPAA standards and operating rules for…
It’s Here: OCR Releases Long Awaited HIPAA/HITECH Final Rule
The Office for Civil Rights (“OCR”) of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules. The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the “HITECH Final Rule”). Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.
Continue Reading It’s Here: OCR Releases Long Awaited HIPAA/HITECH Final Rule
OCR Announces First HIPAA Breach Settlement Involving Less than 500 Individuals
The HHS Office for Civil Rights recently announced its first settlement and corrective action plan following a HIPAA breach affecting fewer than 500 individuals. Additional information about the settlement is available on Reed Smith’s Life Sciences Legal Update blog.
Awaiting the Final HITECH Rule: HURRY UP AND WAIT!
As the year draws to a close, industry is speculating about the release date of the long-awaited Health Information Technology for Economic and Clinical Health Act (“HITECH”) final rule, which is expected to address modifications to the Privacy, Security, Enforcement, and Breach Notification Rules. While the publication date has not yet been announced, it is…
GAO Examines HHS Action on Privacy and Security of Prescription Drug Data
The GAO has issued a report entitled “Prescription Drug Data: HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight.” The report assesses the extent to which HHS has established a framework to ensure the privacy and security of Medicare beneficiaries’ protected health information when data on prescription…
New ONC Health IT Resources
The HHS Office of the National Coordinator for Health Information Technology (ONC) has released a “Guide to Privacy and Security of Health Information,” which is designed to help practitioners, staff, and other professionals better understand the role privacy and security play in the use of electronic health records (EHRs) and Meaningful Use. In…
Safeguarding Health Information: Building Assurance through HIPAA Security Conference (June 6 & 7)
The National Institute of Standards and Technology (NIST) and the HHS Office for Civil Rights are co-hosting a conference on Safeguarding Health Information: Building Assurance through HIPAA Security on June 6 and 7, 2012 in Washington, D.C. The event will address the present state of health information security, and practical strategies, tips and techniques for…
OCR Launches HIPAA Privacy and Security Audits
To implement the HITECH Act’s mandate for the HHS Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. The pilot phase will include an initial 20 audits between November…
OIG Reports on the Security of Electronic Patient Health Information
The OIG has released two reports on health information technology (HIT) security issues. The first report is entitled “Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight.” The review, involving seven hospital audits, the OIG concluded that CMS’s oversight and enforcement actions were …