The OCR and FTC are investigating online tracking technologies

We wrote about this back in December 2022, but the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) has added an additional warning. The OCR has confirmed its active investigations nationwide to ensure compliance with HIPAA. The use of online tracking technologies and HIPAA requirements must be reviewed on all medical websites.

The OCR and the FTC are cautioning providers about the privacy and security risks when utilizing online tracking technologies. These may be integrated into websites or mobile apps. Depending on how they are created and set up, these technologies may be disclosing personal health information to third parties. Tracking technologies collect and analyze information when visitors use websites or apps. Most of the time, this information is shared directly with third parties and even track the visitor when they navigate away from the website or app.

Online tracking technology can be used for good, but patients should not have to sacrifice their personal information in the process. The OCR and FTC sent letters to 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of these technologies, such as the Meta/Facebook pixel and Google Analytics. These are just a couple that are known to track a user’s online activities. These tracking technologies gather identifiable information about visitors, usually without their knowledge.

The minimum necessary rule must be followed even with modern technology. This means only the minimum necessary information can be shared to complete the task, nothing more. The OCR enforces the HIPAA rules and will review all aspects of your compliance if they receive a complaint, or if you have a data breach. 

The FTC’s role in is protecting the public from deceptive or unfair business practices. This includes unfair methods of competition, promotion, research, and education. Through FTC’s recent enforcement actions against BetterHelp, GoodRx, and Premom, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. When working with a website designer or marketing group, be sure to fully vet them for their HIPAA compliance efforts. Even if they have worked with other medical practices. Being HIPAA compliant is more complicated now with all the modern technology and they must jump through the same hoops as a medical practice. Just because they say it will help you with your practice, doesn’t mean it is acceptable under the HIPAA rules. Trust but verify!

Aris Medical Solutions has an online system called the HIPAA Keeper™, to help covered entities and business associates get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about actual HIPAA fines, click on our Education tab!

Business Associate fined for a data breach UNDER 500 patient records

Most of us are familiar with fines for data breaches of over 500 patient records. This time a business associate was fined $75K for 267 records.

Covered entities are responsibility to vet their business associates. This includes making sure they understand the HIPAA rules. Such as, conducting risk assessments, determining vulnerabilities and how to mitigate them, and maintaining proper HIPAA policies and procedures. While it is unusual to see a fine like this for under 500 records, this says the Office for Civil Rights (OCR) is now setting fines for breaches under 500 patient records. If this business associate had done their due diligence and had tried to be HIPAA compliant, I truly doubt they would have been fined. Compliance can be achieved in 7 Steps with our HIPAA Keeper System!

Do not be afraid to ask who conducted and when their last risk analysis was updated. Ask if you may see a copy of their data security policies. Ask for their HIPAA training certificates or a training list of employees who will be working with your practice.

iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers has paid $75,000 to OCR and has agreed to implement a corrective action plan.

Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:

  • Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
  • Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
  • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.

Sound familiar? YES, this is what covered entities are required to do! Business associates and their subcontractors (business associates of business associates) are required under HIPAA to follow the same rules and regulations as covered entities. Making sure you have a business associate agreement (BAA) in place is only the first step!

Let your business associates know Aris Medical Solutions has an online system called the HIPAA Keeper™, to help them get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about other actual fines, click on our Education tab!

Could terminating an employee trigger an OCR investigation?

When it is time to terminate an employee, it is never easy. Whether they are a short- or long-term employee, it can be difficult. Sadly, if you make a mistake you can end up with a complaint filed against you. These types of complaints can range from the wage and labor board, discrimination, or simply wrongful termination. This does not typically involve the Office for Civil Rights. However, if a disgruntled employee contacts the OCR to complain about ANOTHER issue, this could open the door for an OCR investigation. Best practice is to make sure you have proper HR policies in place alongside your HIPAA policies and procedures. Having an Employee Confidentiality Agreement is a good start to ensure your employees understand the requirements under HIPAA (which is included in our HIPAA Keeper™).

Now let’s talk about your employee manual. This is a must have for all organizations, small and large. This manual should have clear and concise guidelines so that employees understand the conditions of their employment and benefits they are entitled to. This should also include the hiring process and the termination of employment.

Here are some key areas that should be included in your employee manual:

  • Work eligibility – OIG exclusion requirements – Background checks (Random)
  • Employee classification- fulltime/ part time
  • Exempt and non-exempt definition
  • Hours of work including flextime
  • Lunch and rest breaks
  • Overtime
  • Vacation – Sick – General paid time off (bereavement, jury duty, military, etc.)
  • Payday – Payroll deductions- Wage garnishments
  • Expense reimbursements
  • Advances
  • Employee benefits – Health Insurance – Workers’ Compensation – Etc.
  • Employee conduct – Attendance – Punctuality – Personal grooming
  • Employee sanctions – Insubordination – Termination
  • Personnel records
  • Use of company property – Internet use – Email – Etc.
  • Patient and employee privacy
  • Drug and alcohol use testing

There are other areas that should be included. These are just what comes to mind at first. If you do not have a complete employee handbook, contact us and we may be able to recommend a company that can help you.

As with HIPAA, employee documentation is VERY important!

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

OCR announces the formation of a new Enforcement Division

The U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division. Is more HIPAA Enforcement on the way?

The newly established Strategic Planning Division will coordinate the OCR’s authorities to protect civil rights and health information privacy as well as expand data analytics and coordinate data collection across the HHS leadership.

“As a trusted advisor and leader of the newly established division, Luis Perez will direct the standalone Enforcement Division that will provide vital integration between our regional offices and headquarters staff to swiftly investigate and determine appropriate steps for all complaints we receive,” said Director Fontes Rainer. “This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing.”

The OCR will rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC).

The OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022.

There were approximately 33,660 related to health care. If you calculate this into 246 workdays (including vacation time), this equals to about 137 per day and 20 per hour! Of these, 717 were investigated, equating to nearly 3 per business day.

By the time you finish reading this blog you could be next!

Would the Office for Civil Rights open an investigation for:

  • Missing your Notice of Privacy Practices on your website, or missing a patient signature for it, probably not.
  • For an incorrect patient sign-in sheet, probably not.
  • Lack of no-surprise billing notice on your website, probably not.

Would the Office for Civil Rights open an investigation for:

  • Privacy complaint from a patient, YES.
  • Information blocking complaint from a patient, YES.
  • Report from a disgruntled employee, YES.

HOWEVER, one patient or disgruntled employee’s complaint opens the door for the OCR. Then, they will review ALL your HIPAA compliance efforts. Including the items listed above that they would not start an investigation with. With this new enforcement division, this has crossed a new threshold.

Is your practice at risk of being one of the three to be investigated tomorrow? The best way to avoid a HIPAA desk audit is through proper HIPAA documentation.

Most investigations can be avoided by supplying the OCR with proper documentation! How well do you trust yours?

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Audits and Penalties May Increase

2023 HIPAA audits and penalties may increase since the Department of Health and Human Services (HHS) has delivered their annual report to congress. They noted there have been significant increases in HIPAA complaints and large breaches. They also noted that there have not been increases in appropriations during the same time frame. The Office for Civil Rights (OCR) requested that the HITECH civil monetary penalty caps be increased in the HHS FY 2023 Discretionary A-19 Legislative Supplement that was sent to Congress. Prepare for more HIPAA audits and higher penalties.

The Annual Report to Congress on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the Secretary of HHS during calendar year 2021 and the actions taken in response to those breaches. It also highlights the continued need for regulated entities to improve compliance with the HIPAA Security Rule requirements, including:

  • risk analysis and risk management
  • information system activity review
  • audit controls
  • access controls

The OCR Director Melanie Fontes Rainer stated, “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”

Enforcement Process

The OCR is in charge of enforcing the HIPAA Rules. They start my investigating written complaints and conducting reviews to determine if the covered entity or business associates failed to comply with the HIPAA Rules. The OCR will only act upon complaints that meet certain requirements. These include:

  1. The violation must occur after the HIPAA Rules have been required.
  2. The complaint must be filed against an entity that is required to adhere to the HIPAA Rules.
  3. The complaint must describe the activity that violated the HIPAA Rules.
  4. The complaint must be filed within 180 days of the occurrence. The OCR may waive this requirement if the individual shows good cause for being unable to file within the time frame requirement.

The OCR must determine whether the complaint is eligible for enforcement action. If the case is not within the OCR’s jurisdiction, the case will be closed. If the complaint is eligible for enforcement action, the OCR often provides technical assistance to resolve the case without further investigation.

In addition, OCR’s compliance activities include conducting audits and providing education and support with the HIPAA Rules. When necessary, the OCR has authority to issue subpoenas to encourage cooperation with an investigation.

The OCR may also initiate a compliance review investigation when they learn that the breach was caused by the covered entity’s business associate and open a compliance review of the business associate.

Compliance Reviews

The HIPAA Rules provide that the Secretary may open compliance review investigations of covered entities and business associates based on an event or incident brought to OCR’s attention, such as through the media, referrals from other agencies, or based upon patterns identified through multiple complaints alleging the same or similar violations against the same entity. Multiple complaints of the same or similar violations demonstrate systemic compliance deficiencies. These are typically investigated under one transaction for the purpose of achieving compliance.

Investigations

Once an investigation is initiated, the OCR will collect evidence through witness statements, interviews, requests for reports from the entity, and site visits. It is required by law that all entities involved must cooperate. If the event implicates criminal activity, the OCR may refer the complaint to the Department of Justice (DOJ). Keep in mind, if the DOJ declines the case, the OCR may review for potential civil violations and investigate the case.

Sometimes the OCR may determine there isn’t enough evidence to support the entity violated the HIPAA Rules. In these cases, the OCR will send a letter closing the case and explaining the results of the investigation.

In the cases where the OCR determines that the covered entity or business associate was not in compliance the OCR will generally try to resolve the case by obtaining voluntary compliance through corrective action which may include a resolution agreement.

Resolution Agreements

When the OCR discovers non-compliance due to willful neglect or where the scope and scope warrants additional enforcement action, the OCR will pursue a resolution agreement with a payment settlement amount. This also includes a corrective action plan (CAP). The OCR is willing to negotiate the terms of the resolution agreement and the payment amount may be reduced from the amount that they are actually liable for. The amount is based on the entity’s ability to pay, keep in mind, that may be quite different than what the entity thinks. Also, in most cases the resolution agreement includes the requirement to fix the issues and to be monitored for a period of time.

Civil Money Penalties (CMP)

If the entity involved is not able to reach a satisfactory agreement to resolve the issues or if the entity violates the resolution agreement, the OCR may pursue formal enforcement action. If a CMP is proposed the entity may request a hearing in which a Departmental administrative law judge decides if the CMP is warranted based on the evidence presented. Answering this is very important, if the entity does not request a hearing within 90 days of the OCR’s proposed determination, the OCR will issue a final determination and impose a CMP.

Audits

The HITECH Act requires HHS to perform periodic audits of covered entities and business associates to ensure they are compliant with the HIPAA Rules. These are known as random audits since they are not initiated by any incident.

The OCR did not initiate any audits in 2021 and is currently developing the criteria for implementing future audits.

What this means is… make sure your compliance efforts are documented and organized to ensure you will survive an audit without penalties.

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Right of Access – Time limit on Medical Records Requests

When a patient or a patient’s representative requests a copy of medical records it is very important to act promptly. Currently you have 30 days to comply with this right of access request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance. As of today, there have been 43 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K.

Another area that we must stress the importance of is disgruntled employees, patient complaints, and data breaches. Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!

One special note: If you use a Contact Us form on your website, you must use encryption on your website (https), to ensure the data transmitted is secure. Then you must review where these messages are delivered to and to which devices. Many website developers do not under the HIPAA rules and offer website features that may cause liability if not properly protected. Again, this also includes the devices utilized to receive the information and how this information is stored. If you do not receive very many of these messages, we recommend removing the liability.

In case you have not seen some examples of the fines, check out our Education Tab:

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Proposed Changes for 2023

Happy New Year! As we look back on 2022, we noticed that the Office for Civil Rights (OCR) has really started enforcing the Patients Right of Access. To see a list of fines and resolutions agreements, check out our What are some of the actual HIPAA fines page. There are several proposed changes for HIPAA in 2023.

Here is a recap of what you need to be aware of:

1. Information Blocking – Information blocking is a practice by an “actor” that is likely to interfere with the access, exchange, or use of electronic health information (EHI). This rule was created to promote the flow of patient data between providers, patients, and the developers of Health IT. This included electronic health information (EHR) providers. If an actor is found to “block” the flow of information, they can receive up to a $1M fine. It is important to note that The Cures Act established two different “knowledge” standards for actors’ practices within the statute’s definition of “information blocking.” For health IT developers of certified health IT, as well as HIEs/HINs, the law applies the standard of whether they know, or should know, that a practice is likely to interfere with the access, exchange, or use of EHI. For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and is likely to interfere with the access, exchange, or use of EHI.

There are two categories of exceptions and eight exceptions to this rule.

Exceptions that involve not fulfilling requests to access, exchange, or use ePHI.

a. Preventing harm

b. Privacy

c. Security

d. Infeasibility

e. Health IT performance

Exceptions that involve procedures for fulfilling requests to access, exchange, or use ePHI.

f. Licensing

g. Fees

h. Content and manner

Although this is not enforced by the OCR, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) is the agency that has authority to review claims of possible information blocking against health IT developers of certified health IT that may constitute a non-conformity under the ONC Health IT Certification Program. Separately, the HHS OIG has authority to investigate claims of possible information blocking across all types of actors: health care providers, health information networks and health information exchanges, and health IT developers of certified health IT.

Between April 5, 2021 and November 30, 2022, there have been 560 submissions for information blocking and only 43 that did not appear to be a claim of blocking.

Remember, when a patient requests their information to be shared, do not say no, make sure you check with your technology vendors to see if it would be possible.

2. Recognized Security Practices – This is known as the Safe Harbor Act that was passed into law to encourage medical practices and business associates to implement best practices for cybersecurity. Organizations that have completed their HIPAA Security Analysis, reduced their risks, and documented their security practices are looked upon more favorably during an investigation for a data breach. Keep in mind that penalties will not be increased if you have not completed this process. Penalties will remain as the standard permits and the entity’s ability to pay.

3. Charges for medical records – If your office charges for medical records, HIPAA requires your office to post these charges and to notify patients requesting records of the charges.

4. Hospitals must post clear and accessible pricing information online about items and services they provide in two ways. 1. As a comprehensive machine-readable file with all items and services. 2. In a consumer-friendly format that is shoppable.

5. Good Faith Estimates – All facilities must post the HHS Notice, “Right to Receive a Good Faith Estimate of Expected Charges,” on the provider’s or facility’s website, in the office, and onsite where scheduling or questions about the cost of items or service occur. The information must be prominently displayed and published in accessible formats and presumably available in languages spoken by the patient. 
The provider or facility must provide a good faith estimate of expected charges for items and services to an uninsured, self-pay individual, or an individual who does not wish file a claim with their insurance company.

6. No Surprise Billing aka as balance billing. Health care providers and facilities must provide an easy-to-understand notice explaining the applicable billing protections, who to contact if the patient has concerns that a provider or facility has violated the protections, and that patient consent is required to waive billing protections (patients must receive notice of and consent to being balance billed by an out-of-network provider). 

7. HIPAA updates for 2023 – There are many proposed changes, but the final dates and enforcement dates have yet to be determined. A few notable changes that have been proposed are:

a. Adding the right to inspect their PHI in person, permit taking notes, or taking pictures of their PHI

b. Reducing the covered entities time from 30 days to 15 days to a request for access to PHI. The covered entity will have an opportunity for an extension of no more that 15 calendar days (from the current 30 days extension)

c. Reducing the identity verification burden on individuals exercising their access rights

d. Specifying when electronic PHI (ePHI) must be provided to the individual at no charge

e. Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy

f. Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘‘professional judgment’’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual

g. Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access

There are many others, and we are watching all of them. The effective date of a final rule will be 60 days after publication. Covered entities and their business associates would have until the ‘‘compliance date’’ to establish and implement policies and practices to achieve compliance with any new or modified standards. Except as otherwise provided, 45 CFR 160.105 provides that covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change.

The Department previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.

The Department believes that compliance with the proposed modifications should require no longer than the standard 180-day period provided in 45 CFR 160.105, and thus proposes a compliance date of 180 days after the effective date of a final rule. Accordingly, OCR would begin enforcement of the new and revised standards 240 days after publication of a final rule.

Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Scammers never sleep

Scammers are always busy trying different tactics to get to your wallet. During holidays is no different. Bad actors use the holidays and people’s goodwill to fool them into giving. Be careful of offers that are too good to be true, and only shop on reputable sites. Some emails look legitimate, and you must look closely at them to see that they are not. First look at the “from” email address, not just the name from whom it is coming from. The difference may be as subtle as a “.” in between the name or website address. Secondly you can view the message details and from there find where the email IP address originated from. In Outlook, click the three “…” in the upper right corner of the message, scroll down to “view”, then “view message details”. There are many IP lookup sites on the internet. Many of these scams are generated from overseas. As always, do not click on links in emails. Open your browser and search for the site or product from there.

Another method criminal target is through texts messages or voice mails. Again, do not click on links or call the number they send. Look it up! If it appears to be from your bank, call your bank. If it appears it is from your credit card company, call your card company. Our phones now are directly linked to our personal information and can be hacked as well.

The Social Security Administration warns people that fraudsters are calling/texting and asking people to verify information to receive the 2023 cost-of-living increase for people who receive benefits. The increase is automatic and does not need to be verified. Please advise everyone you know that receive these benefits, especially the elderly who fall for these scams. Remind them, scammers typically say there is a problem with their account (social security, missed jury notice, credit card, etc.) and will try to pressure them to act immediately. Then you must pay in a specific manner, and sometimes will want to remain on the line while making the transaction. Even if this means driving to a store to buy gift cards.

If you receive a questionable call, text, or email, hang up or don’t respond and report it at oig.ssa.gov/report. Scammers frequently change their methods with new tactics and messages to trick people. Stay up to date on the latest news and advisories by following SSA’s Office of the Inspector General on LinkedInTwitter, and Facebook or subscribing to receive email alerts.

Click to learn how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Requirements for Online Tracking from OCR

The Office for Civil Rights (OCR) has issued a bulletin to remind covered entities and business associates of their obligations under HIPAA when using online tracking technology. These technologies include but are not limited to Google Analytics, Meta Pixel, Cookies, and QR codes.

Cover entities regularly share electronic protected health information (ePHI) with some of these tracking vendors. Some may be doing so in violation of HIPAA. Regulated entities are not permitted to use tracking technologies in a manner that would result in unauthorized disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

Tracking technologies are used to collect and analyze information about how patients interact with websites and/or mobile applications (“apps”). If a covered entity or business associate utilizes a technology partner to analyze interactions or to disclose tracking information as part of their health care operations, the HIPAA rules will apply when the information that is collected contains protected health information (PHI). If your organization collects sensitive information with an online tracking vendor, such sharing may be considered impermissible disclosures. Another example of a HIPAA violation would be disclosures of PHI to a tracking company for marketing purposes without a patient’s authorization.

Tracking technology is a script or code on a website or mobile app that is used to gather information about users as they interact with the website or mobile app. Then it is analyzed by owners of the website or mobile app. Some third parties may also be used to analyze the data to create insights about users’ online activities. These insights could be used in beneficial ways. Such as to help improve care or the patient experience. However, this tracking information could also be misused and cause identity theft, stalking, and harassment.

Disclosures include a variety of information that is shared through tracking technologies on a website or mobile app. Including individually identifiable health information (IIHI) that the individual provides when they use websites or mobile apps. This information could include a patient’s medical record number, home or email address, or dates of services, as well as an individual’s IP address or geographic location, or medical device IDs. All such IIHI collected on a website or mobile app generally is PHI, even if the individual does not have an existing relationship with the entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when an entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the entity and thus relates to the individual’s past, present, or future health or health care or payment for care.

Covered entities and business associates may have user-authenticated webpages, which require a patient to log in before they are able to access the webpage, such as a patient portal or a telehealth platform. Tracking technologies on an entity’s user-authenticated webpages generally have access to PHI. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule. Hence, why it is so important to only work with website companies that are familiar with the HIPAA rules.

Tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a covered entity or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules. If a patient makes an appointment through the website of a covered entity and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI to the covered entity. The tracking technology vendor must implement administrative, physical, and technical safeguards in accordance with the Security Rule (encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.

Cover entities may also have webpages that do not require users to log in before the patient can access the information on a webpage, these are considered unauthenticated webpages. This may include general information about the practice or business like their location, services they provide, or their policies and procedures. Tracking technologies on unauthenticated webpages generally do not have access to PHI. Then a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. If tracking technologies on unauthenticated webpages have access to PHI, then the HIPAA Rules apply.

Examples of unauthenticated webpages where the HIPAA Rules apply include:

  • The login page of a patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages.
  • However, if the individual enters credential information on that login webpage or enters registration information (name, email address) on that registration page, such information is PHI. Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collects an individual’s login information or registration information, that information is PHI and is protected by the HIPAA Rules.
  • Tracking technologies on an unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the covered entity is disclosing PHI to the tracking technology vendor, and therefore, the HIPAA Rules apply.

Mobile apps that help patients manage their health information or pay bills collect a variety of information that is provided by the app user. This includes information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. This information is PHI, and the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses. Any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information may also be considered PHI. The HIPAA Rules apply to any PHI collected by a covered entity through a mobile app used by patients to track health-related variables. Such as heartrate monitoring or menstrual cycle, body temperature, etc.

Patients that voluntarily download or enter their information into mobile apps that are not developed or offered by regulated entities, regardless of where the information came from do not have to follow the HIPAA Rules. For example, the HIPAA Rules do not apply to health information that a patient enters in a mobile app offered by an entity that is not regulated by HIPAA (even if the individual obtained that information from their medical record created by a regulated entity). In instances where the HIPAA Rules do not apply to such information, other laws may apply. For instance, the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.

Again, covered entities and business associates are required to comply with the HIPAA Rules when using tracking technologies. The HIPAA rules include the HIPAA Privacy, Security, and Breach Notification requirements. Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that the minimum necessary rule is followed.

Websites may advise the use of tracking technology in the website privacy policy or terms of use, but the Privacy Rule does not permit disclosure of PHI to tracking technology vendors based on this notice. Website banners asking patients to accept cookies or other tracking technology does not constitute a HIPAA authorization. If the technology vendor is not a business associate of the covered entity, then a patient authorization is required BEFORE the PHI is disclosed to the vendor. Any disclosure of PHI to the vendor without a patients’ authorization requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure. If a covered entity does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the entity cannot disclose PHI to the vendors without a patient authorization.

A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty. Therefore, moving forward it will be necessary to ensure your business partners are HIPAA compliant.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://hipaakeeper.com/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Can a Medical Practitioner be sued for a HIPAA Violation or a Data Breach?

With so many data breaches in the news many medical practitioners are asking if they can be sued over HIPAA violations or from a data breach.

HIPAA rules state there is no private right of action, therefore, a patient cannot sue for a HIPAA violation. With that said, it is possible if there were privacy violations under state law, legal action may be taken. All states have their own set of privacy laws that encompasses more than just the healthcare sector. State privacy laws vary from state to state and define what is considered private information. HIPAA and state laws require covered entities to secure protected health information (PHI) with administrative, physical, and technical safeguards. Business associates and subcontractors are required to do the same.

If a patient wants to file a lawsuit, the patient must be able to prove negligence and damage caused harm by the violation or data breach. The Omnibus Rule removed the harm threshold when it came to covered entities reporting data breaches, but a patient has the right to claim harm. On another note, if a patient joins a class action lawsuit, it may make a stronger case. However, many class action lawsuits are filed based on the exposure to future harm. Without evidence of harm this may reduce the case. This can be a costly endeavor and patients should consider this and review what they hope to gain before taking legal action. Keep in mind, this is not a quick lawsuit. In the end, there is no guarantee of any monetary gain for the patient.

Many times, the practice can discuss the issues with the patient and avoid legal action altogether. It is recommended that if a practice has a disgruntled patient, the HIPAA privacy officer should talk to the patient if given the opportunity. Sometimes, an upset patient merely wants to be heard. Depending on the circumstances, the practice may be required to report the incident to the Department of Health and Human Services Office for Civil Rights (OCR).

If a patient feels as though their protected health information has been violated, they do have the right to file a complaint with the OCR. The complaint from the patient must be filed within 180 days of the incident. In some cases, an extension may be permitted. The complaint is reviewed to determine if it is justifiable. If it is, then the OCR will contact the practice and try to resolve the issue in the most suitable manner. This may include technical assistance, a resolution agreement, and/or ongoing compliance documentation. The average investigation timeline for a data breach takes 1½ – 2 years. Of course, for more complex breaches, it may take even longer. The outcome of the investigation will depend on the severity and nature of the violation, if this was a repeated offense, and the number of patients affected. Depending on the documentation of the incident and how it was handled, a practice may be able to avoid a desk audit. Remember, if it’s not documented, it does not exist. The patient may also file a complaint with the State Attorney General. Some complaints are referred to the Department of Justice (DOJ) if the investigation results in criminal violations. I hope this helps you to understand how important it is to keep patient data secure, and the documentation that demonstrates your efforts. If you have any questions on data security, how to handle a patient complaint, or how to handle a security incident, we are here to help.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC