Healthcare Data Privacy

Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites

Posted by HIPAA Journal

Meta is facing another class action lawsuit over the unlawful collection and sharing of health data without content. The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges Meta and its companies, including Facebook, have been collecting the sensitive health data of millions of patients without obtaining express consent and have used the information to serve individuals with targeted advertisements.

Jane Doe was a patient of UCSF Medical Center and Dignity Health Medical Foundation and claims her sensitive health was unlawfully obtained by Meta when she entered the information into the UCSF Medical Center online patient portal. UCSF Medical Center had added Meta Pixel code to the web pages of the patient portal. Meta Pixel is a snippet of JavaScript code that is used to track website visitors. The code records and transmits to Meta the web pages that a user visits. If the code is present on a web page with a form, such as those used to book appointments, the selections from drop-down boxes are recorded and transmitted. Those selections could indicate a patient’s medical condition or why an appointment has been booked.

One of the targeted Facebook adverts served to Jane Doe. Source: Jane Doe v. Meta Platforms, Inc. F/K/A Facebook, Inc., UCSF Medical Center, and Dignity Health Medical Foundation.

Jane Doe said she has been a user of Facebook since 2012 and alleges her privacy has been violated, as her information was collected and used without her consent. The information entered on the form was used by Meta to serve her with targeted advertisements related to her medical condition. The lawsuit alleges a violation of HIPAA, as neither UCSF Medical Center nor Dignity Health Medical Foundation had entered into a business associate agreement with Meta or Facebook, and at no point did Meta, Facebook, or the hospitals obtain content or inform patients that their information was being provided to Meta to deliver targeted advertisements.

Under HIPAA, healthcare providers are permitted to disclose an individual’s protected health information to another HIPAA-covered entity or a third-party vendor for reasons related to treatment, payment, or healthcare operations, and in such cases, consent is not required from the patient. Most other disclosures require a HIPAA-covered entity to enter into a business associate agreement with the third party prior to any disclosure of PHI, and content is required from the individuals whose PHI is disclosed.

There is no private right of action in HIPAA, so it is not possible for individuals to sue their healthcare providers for HIPAA violations, but there are often equivalent federal and state laws that do have a private right of action. In this case, the lawsuit makes sixteen claims including common law invasion of privacy – intrusion upon seclusion, invasion of privacy, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Constitution, California Confidentiality of Medical Information Act (CMIA), California Business and Professions Code, California Invasion of Privacy Act, the Comprehensive Computer Data Access and Fraud Act, and the Federal Wiretap Act.

The lawsuit alleges the plaintiff and class members have suffered damage and loss as a result of the conduct of the defendants, which has deprived the plaintiff and class members of control of their valuable property, the ability to obtain compensation for their data, the ability to withhold their data from sale, and that the violations have resulted in irreparable and incalculable harm and injuries. The lawsuit seeks damages and injunctive and equitable relief.

The lawsuit makes similar allegations to another lawsuit filed against Meta, in that case by plaintiff John Doe, who was a patient of MedStar Health in Maryland. The Markup recently conducted an investigation into the sharing of healthcare data with Meta/Facebook via Meta Pixel on hospital websites and found that 33 of the top 100 hospitals in the United States had the Meta Pixel code on their websites, and 7 hospitals had the code installed on their patient portals behind logins, yet consent to share data was not obtained.

The post Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites appeared first on HIPAA Journal.

June 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

June 2022 saw 70 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – two fewer than May and one fewer than June 2021. Over the past 12 months, from July 2021 to June 2022, 692 large healthcare data breaches have been reported and the records of 42,431,699 individuals have been exposed or impermissibly disclosed. The past two months have seen data breaches reported at well over the 12-month average of 57.67 breaches a month.

The past 6 months have seen data breaches reported at similar levels to the second half of 2021 (345 in 1H 2022 v 347 in 2H 2021), but data breaches are down 6.25% from the first half of 2021 (368 in 1H 2021 v 345 in 2H 2022).

Healthcare data breaches in the past 12 months

For the third successive month, the number of exposed or compromised records has increased. In June, 5,857,143 healthcare records were reported as breached. That is the highest monthly total so far in 2022. June saw 32.48% more records breached than the previous month and 65.64% more than the monthly average over the past 12 months.

While huge numbers of healthcare records are being breached, fewer records were breached in the first half of 2022 than were breached in either the first half or the second half of 2021. In 1H 2022, 20,191,930 records were breached – 26.84% fewer than the 27,600,651 records breached in 1H 2021 and 9.2% fewer than the 22,239,769 records breached in 2H 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in June 2022

There were 31 reported breaches of 10,000 or more healthcare records in June – the same number as May 2022  – two of which affected more than 1.2 million individuals. Several healthcare providers submitted breach reports in June 2022 due to the ransomware attack on the HIPAA business associate, Eye Care Leaders. At least 37 healthcare providers are now known to have been affected by that ransomware attack and more than 3 million records are known to have been exposed in the attack.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Cause of Breach
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Other Eye Care Leaders ransomware attack
Baptist Medical Center TX Healthcare Provider 1,243,031 Network Server Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Network Server Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Network Server Ransomware attack
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Network Server Eye Care Leaders ransomware attack
Spectrum Eye Physicians CA Healthcare Provider 175,000 Network Server Eye Care Leaders ransomware attack
90 Degree Benefits, Inc. WI Business Associate 172,450 Network Server Unspecified hacking incident
Michigan Avenue Immediate Care IL Healthcare Provider 144,104 Network Server Unspecified hacking and data theft incident
Mattax Neu Prater Eye Center, Inc. MO Healthcare Provider 92,361 Electronic Medical Record Eye Care Leaders ransomware attack
Sight Partners Physicians, P.C. WA Healthcare Provider 86,101 Electronic Medical Record Eye Care Leaders ransomware attack
Clinivate LLC CA Business Associate 77,652 Network Server Unspecified hacking incident – No information publicly released
Kaiser Foundation Health Plan of Washington WA Healthcare Provider 69,589 Email Compromised email account
Carolina Eyecare Physicians, LLC SC Healthcare Provider 68,739 Electronic Medical Record Eye Care Leaders ransomware attack
Precision Eye Care, Ltd. MO Healthcare Provider 58,462 Electronic Medical Record Eye Care Leaders ransomware attack
Resolute Health Hospital TX Healthcare Provider 54,239 Network Server Ransomware attack
Aloha Laser Vision HI Healthcare Provider 43,263 Electronic Medical Record Eye Care Leaders ransomware attack
Center for Sight, Inc. MA Healthcare Provider 41,041 Electronic Medical Record Eye Care Leaders ransomware attack
McCoy Vision Center AL Healthcare Provider 33,930 Electronic Medical Record Eye Care Leaders ransomware attack
Chesapeake Eye Center PA MD Healthcare Provider 32,770 Network Server Eye Care Leaders ransomware attack
Kevin Wolf, DPM d/b/a Goldsboro Podiatry NC Healthcare Provider 30,669 Network Server Unspecified hacking incident
Long Vision Center TX Healthcare Provider 29,237 Electronic Medical Record Eye Care Leaders ransomware attack
Foxhall Ob Gyn Associates DC Healthcare Provider 27,000 Other No information
Alabama Eye &Cataract, P.C. AL Healthcare Provider 26,000 Network Server Eye Care Leaders ransomware attack
Lori A. Harkins MD, P.C. dba Harkins Eye Clinic NE Healthcare Provider 23,993 Electronic Medical Record Eye Care Leaders ransomware attack
DialAmerica Marketing, Inc. NJ Business Associate 19,796 Network Server Unspecified hacking incident
Central Florida Inpatient Medicine FL Healthcare Provider 19,625 Email Compromised email account
Yale New Haven Hospital CT Healthcare Provider 19,496 Other Data exposed on a public-facing website
Cherry Creek Eye Physicians and Surgeons, P.C. CO Healthcare Provider 17,732 Electronic Medical Record Eye Care Leaders ransomware attack
Bayhealth Medical Center, Inc. DE Healthcare Provider 17,481 Network Server Ransomware attack on business associate (Professional Finance Company)
Kernersville Eye Surgeons, P.C. NC Healthcare Provider 13,412 Electronic Medical Record Eye Care Leaders ransomware attack
Phelps County Regional Medical Center d/b/a Phelps Health MO Healthcare Provider 12,602 Network Server Data breach at business associate (MCG Health)

Causes of June 2022 Healthcare Data Breaches

As the above table shows, ransomware attacks on healthcare organizations continue to be reported in high numbers. 20 of the 31 affecting 10,000 or more individuals have been confirmed as involving ransomware. When these attacks occur at business associates they can affect many different HIPAA-covered entities. As mentioned, the Eye Care Leaders ransomware attack has affected at least 37 eye care providers, and a ransomware attack on Professional Finance Company affected 657 of its healthcare provider clients.

There is no sign that ransomware attacks on healthcare providers will slow. This month, CISA has warned the health and public health sector that North Korean state-sponsored hackers are known to be targeting the sector and are using ransomware for extortion.

Hacking incidents continue to dominate the breach reports, with all but two of the top 31 breaches involving hacking. 81% of the month’s breaches were reported as hacking/IT incidents, and across those 57 incidents, the records of 5,784,009 were breached – 98.75% of all the breached records in June. The average breach size was 101,474 records and the median breach size was 12,602 records.

There were 6 unauthorized access/disclosure data breaches reported involving 59,224 records. The average breach size was 9,871 records and the median breach size was 5,672 records. 5 loss theft incidents were reported (4 x theft, 1 x loss) involving 12,184 records. The average breach size was 2,437 records and the median breach size was 1,126 records. Finally, there were two improper disposal incidents reported, both of which involving paper/films. In total 1,726 records were exposed as a result of those incidents.

Causes of June 2022 healthcare data breaches

Location of Breached Protected Health Information

The bar graph below shows where the breached information was stored. The high number of network server breaches indicates the extent to which hackers are attacking healthcare organizations. Many of these attacks involved ransomware. Most data breaches reported by healthcare providers do not involve electronic health records, which are separate from other systems. The high number of breaches involving EHRs is due to the ransomware attack on Eye Care Leaders, which provides electronic medical record systems to eye care providers.

Location of breached PHI (June 2022)

Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected HIPAA-covered entity in June, accounting for 55 data breaches of 500 or more records, with 4 data breaches reported by health plans. Business associates of HIPAA-covered entities self-reported 11 data breaches; however, 29 data breaches occurred at business associates but were reported by the affected covered entity rather than the business associate.

Taking this into account, the breakdown of the month’s data breaches by HIPAA-regulated entity type is shown in the chart below.

June 2022 Healthcare Data Breaches - HIPAA-regulated entity type

Geographic Distribution of Breached Entities

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states and the District of Columbia.

State Number of Data Breaches
Washington 5
California, New Jersey, North Carolina, Ohio, South Carolina, Texas, & Virginia 4
Alabama, Missouri, Nebraska, & New York 3
Delaware, Illinois, Kansas, Maryland, Michigan, Pennsylvania, Tennessee, & the District of Columbia. 2
Arizona, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Massachusetts, Mississippi, & Wisconsin 1

HIPAA Enforcement Activity in June 2022

There were no HIPAA enforcement actions announced by the OCR or state attorneys general in June; however, OCR announced this month (July) that a further 12 HIPAA penalties have been imposed, 11 of which were for violations of the HIPAA Right of Access.

The post June 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

FTC Committed to Enforcing Laws Preventing the Illegal Use and Sharing of Location and Sensitive Health Data

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights enforces the HIPAA Rules, which restrict uses and disclosures of healthcare data by HIPAA-covered entities and business associates of those entities. When entities are not covered by HIPAA, privacy violations and illegal uses and disclosures of sensitive consumer data are policed by the Federal Trade Commission (FTC). The FTC recently announced in a blog post that it is fully committed to enforcing the law against illegal uses and sharing of highly sensitive data.

Some of the most sensitive categories of data collected by connected devices are a person’s precise location and information about their health. Currently, those sensitive types of information are collected by fitness trackers, smartphone apps, browsers, and other connected software and devices, and that information is combined with other data and is monetized and sold to third parties, often without the knowledge of the individuals to whom the data relates.

“The conversation about technology tends to focus on benefits. But there is a behind-the-scenes irony that needs to be examined in the open: the extent to which highly personal information that people choose not to disclose even to family, friends, or colleagues is actually shared with complete strangers,” said Kristin Cohen, Acting Associate Director, FTC Division of Privacy & Identity Protection. “These strangers participate in the often shadowy ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.”

Location data is collected by connected devices, even when those devices are not being used. They can provide information about where individuals work, sleep, socialize, worship, and seek medical treatment. “While many consumers may happily offer their location data in exchange for real-time crowd-sourced advice on the fastest route home, they likely think differently about having their thinly-disguised online identity associated with the frequency of their visits to a therapist or cancer doctor,” said Cohen. “The marketplace for this information is opaque and once a company has collected it, consumers often have no idea who has it or what’s being done with it. After it’s collected from a consumer, data enters a vast and intricate sales floor frequented by numerous buyers, sellers, and sharers.”

Since the SCOTUS ruling that overturned Roe v. Wade, these data collection and sharing practices have faced even greater scrutiny due to the potential for the collection and misuse of location data and information related to personal reproductive matters, such as through the use of products that are used for reproductive cycle tracking, monitoring fertility, overseeing contraceptive use, and even for targeting women considering abortion.

In terms of the latter, Cohen explained that this is not just a theoretical risk. In 2017, Copley Advertising, LLC settled a case with the Massachusetts Attorney General over its use of geolocation technology to identify when people passed through a digital fence around a clinic offering abortion services. Those individuals were then served targeted advertisements offering alternatives to abortion. The FTC also recently settled a case with Flo Health over the sharing of the sensitive data of users of its period and fertility tracking app with Google and Facebook, when the company had told users that the information collected by the app would remain private and confidential.

Cohen explained that the misuse of location and any health data exposes consumers to significant harm, and can place consumers at risk of phishing attacks, extortion, physical and emotional injury, discrimination, stigma, mental anguish, and other significant harms. “The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy,” said Cohen. “We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.”

Cohen warned companies that collect sensitive consumer information to be aware that the information is protected under many federal and state laws, including laws enforced by the FTC such as the FTC Act which prohibits unfair and deceptive trade practices. The FTC also enforces the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.

Companies that claim they anonymize or aggregate consumer data should be on guard that such claims could be considered a deceptive trade practice. If found to be untrue, those practices would be in violation of the FTC Act. Cohen said the FTC is cracking down on companies that misuse consumer data and has recently taken action against several companies for using location data without content, improperly collecting and retaining sensitive data, and failing to respect consumer requests to delete sensitive data.

The post FTC Committed to Enforcing Laws Preventing the Illegal Use and Sharing of Location and Sensitive Health Data appeared first on HIPAA Journal.

Oklahoma State University Settles HIPAA Case with OCR for $875,000

Posted by HIPAA Journal

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

The post Oklahoma State University Settles HIPAA Case with OCR for $875,000 appeared first on HIPAA Journal.

Data Brokers and Health Apps Probed Over Privacy Practices

Posted by HIPAA Journal

On Friday, the House Committee on Oversight and Reform announced that a probe has been initiated to determine how data brokers and health app companies are collecting and selling individuals’ personal reproductive health data. The probe was initiated as a result of the SCOTUS decision that overturned Roe v. Wade, as members of the committee were concerned that the personal data of individuals seeking reproductive healthcare services may be misused.

Rep. Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, Rep. Raja Krishnamoorthi, Chairman of the Subcommittee on Economic and Consumer Policy, and Rep. Sara Jacobs, wrote to five data brokers (SafeGraph, Digital Envoy, Placer.ai, Gravy Analytics, Babel Street) and five health app companies (Flo Health, Glow, BioWink, GP International, and Digitalchemy Ventures) requesting documentation on how personal reproductive care information is collected and sold.

Huge amounts of personal data are now being collected and sold, often without the knowledge of individuals. The information is used to serve individuals’ targeted advertisements and for other reasons. There is concern that the collection and sale of this information may put the health, safety, and privacy of Americans and healthcare providers at risk.

“The collection of sensitive data could pose serious threats to those seeking reproductive care as well as to providers of such care, not only by facilitating intrusive government surveillance, but also by putting people at risk of harassment, intimidation, and even violence,” explained the Committee members. “Geographic data collected by mobile phones may be used to locate people seeking care at clinics, and search and chat history referring to clinics or medication create digital breadcrumbs revealing interest in an abortion.”

The Committee Members cited a study published in JMIR – Privacy, Data Sharing, and Data Security Policies of Women’s mHealth Apps: Scoping Review and Content Analysis – which found that 20 of the 23 most popular women’s health apps, which include reproductive health apps, were sharing user data with third parties, even though just 52% of those apps obtained consent from users. The study found that most women’s mHealth apps had poor data privacy, sharing, and security standards.

There is concern that data from health apps, especially period trackers, could be used to identify women who have had abortions. Data brokers are known to sell users’ location data, including the location data of individuals who have visited healthcare clinics that provide abortions. Recently Google announced that it will further improve privacy protections by automatically deleting the location data from Google accounts related to visits to healthcare providers that provide sensitive healthcare services, but Google is not the only company that records location data.

The data brokers and health app providers have been given until July 21, 2022, to respond and provide the requested data.

The post Data Brokers and Health Apps Probed Over Privacy Practices appeared first on HIPAA Journal.

President Biden Signs Executive Order to Protect Access to Reproductive Healthcare Services

Posted by HIPAA Journal

President Biden has signed an executive order that aims to protect access to reproductive healthcare services following the SCOTUS ruling that overturned Roe v. Wade, which gave women the constitutional right to make their own reproductive healthcare decisions almost 50 years ago.

“These deeply private decisions should not be subject to government interference.  Yet today, fundamental rights — to privacy, autonomy, freedom, and equality — have been denied to millions of women across the country,” said President Biden.

The SCOTUS ruling did not ban abortions in the United States, instead, it has been left to individual states to determine the legality of abortions. Several states have already banned or severely restricted abortion care for state residents, which has threatened access to reproductive care for millions of Americans. 16 states have either banned or mostly banned abortions, with those laws taking effect within a month, and further 6 states are expected to introduce bans imminently or in the near future. Clinics that provide abortions in the states that have already introduced bans have been forced to close, which not only prevents access to abortion care, but also other reproductive healthcare services including contraception.

In response to the SCOTUS Ruling, the Federal Government has taken steps to protect reproductive healthcare services. “It remains the policy of my Administration to support women’s right to choose and to protect and defend reproductive rights.  Doing so is essential to justice, equality, and our health, safety, and progress as a Nation,” said President Biden.

The executive order calls for the Secretary of the Department of Health and Human Services to identify potential actions to protect access to reproductive healthcare services. These include protecting and expanding access to abortion care and the full range of reproductive healthcare services, taking actions to enhance family planning services such as access to emergency contraception, and identifying ways to increase outreach and education about access to reproductive healthcare services.

Biden has called for the Secretary of the HHS to provide further guidance on HIPAA and other statutes to better protect sensitive data related to reproductive health care services. The HHS has already issued guidance on how HIPAA applies to disclosures of reproductive healthcare information and guidance for individuals on how they can protect the privacy of their health information. The HHS should also, in conduction with the Attorney General, FTC, and Department of Justice, consider how they can address deceptive or fraudulent practices related to reproductive healthcare services. In conjunction with the Gender Policy Council, the HHS should establish an Interagency Task Force on Reproductive Healthcare Access.

President Biden is concerned that extremist state governors and others may attempt to obtain sensitive data from individuals’ phones, such as if they may be seeking access to abortion care. “Right now, when you use a search engine or the app on your phone, companies collect your data and sell it to other companies. They even share it with law enforcement,” said Biden. Biden has called upon the Chair of the Federal Trade Commission to take steps to better protect the privacy of individuals who seek information about and the provision of reproductive healthcare services.

The Attorney General and the Secretary of Homeland Security have been told to consider actions under current laws that can be taken to ensure the safety of patients, providers, and third parties, and protect the security of clinics (including mobile clinics), pharmacies, and other entities providing, dispensing, or delivering reproductive and related healthcare services.

A fact sheet has been issued by the White House than summarizes the executive order.

The post President Biden Signs Executive Order to Protect Access to Reproductive Healthcare Services appeared first on HIPAA Journal.

Senators Call for HIPAA Privacy Rule Change to Prohibit Disclosures of Reproductive Health Care Information to Law Enforcement

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has recently issued guidance to healthcare organizations following the overturning of Roe v. Wade following the SCOTUS Dobbs v. Jackson Women’s Health Organization ruling, which removed the right to abortion at the federal level and allowed states to set their own laws. The guidance explained how the HIPAA Privacy Rule permits disclosures of protected health information – including reproductive health care information – to law enforcement but does not require such disclosures. OCR explained in the guidance when such disclosures of reproductive health care information would be considered HIPAA violations under the HIPAA Privacy Rule.

Two U.S. senators – Michael F. Bennet (D-Co) and Catherine Cortez Masto (D-NV) – recently wrote to the Secretary of the Department of Health and Human Services, Xavier Becerra, calling for the HHS to go further and make an update to the HIPAA Privacy Rule to ensure that the private and confidential health information of patients seeking reproductive healthcare is better protected.

“The [SCOTUS} decision has created profound uncertainty for patients concerning their right to privacy when making the deeply personal decision to have an abortion,” explained the senators in the letter. “We write to urge the Department of Health and Human Services (HHS) to take immediate steps to protect the privacy of Americans receiving reproductive health care services by updating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.”

The senators pointed out that at the time HIPAA was signed into law in 1996, Roe v. Wade had already upheld the right to abortion for more than two decades, and when the Privacy Rule was added to HIPAA in 2000, it was unthinkable that Roe v. Wade would be overturned two decades later. The senators praised the efforts of the HHS in issuing prompt guidance on the privacy of medical information relating to abortion and other sexual and reproductive health care and also for issuing guidance to consumers on protecting health information on mobile devices but believe that the HHS needs to go further.

“We urge HHS to immediately begin the process to update the Privacy Rule, following all requirements under the Administrative Procedure Act, to clarify who is a covered entity and to limit when that entity can share information on abortion or other reproductive health services,” explained the senators. The senators specifically requested the HHS clarify that reproductive health care information cannot be shared with law enforcement agencies who target individuals who have an abortion, and have requested the HHS rule that Pregnancy Care Centers (aka Crisis Pregnancy Centers) are required to comply with the HIPAA Privacy Rule.

“Following the Supreme Court’s decision in Dobbs, millions of Americans have lost a fundamental constitutional right to make their own health and reproductive decisions. We must do all that we can to protect their fundamental right to privacy,” concluded the senators.

The post Senators Call for HIPAA Privacy Rule Change to Prohibit Disclosures of Reproductive Health Care Information to Law Enforcement appeared first on HIPAA Journal.

Google Announces New Measures to Protect User Privacy on Healthcare Matters

Posted by HIPAA Journal

Google has announced that it will be taking steps to improve privacy protections for users of its services. Google has long advocated for a comprehensive, national privacy law covering consumer data to ensure there is consistency across the entire country, rather than relying on a patchwork of state-level privacy laws. The American Data Privacy and Protection Act that was recently introduced could see national privacy law introduced, but until ADPPA or equivalent consumer data privacy regulations are signed into law, Google said it has taken additional steps to protect user privacy, especially for health-related issues.

Google confirmed that location history is turned off in Google accounts by default, but if users choose to activate location history, they can auto-delete or manually delete parts or all of their location data at any time. However, to further protect privacy, Google has added a new auto-delete feature that will be rolled out in the next few weeks. If Google detects a user has visited certain medical facilities that offer sensitive medical services, the entries will be automatically deleted from the user’s location history soon after the visit.

Those locations include:

  • Abortion clinics
  • Domestic violence shelters
  • Counseling centers
  • Fertility centers
  • Addiction treatment facilities
  • Weight loss clinics
  • Cosmetic surgery centers

On Google Play there are policies that prevent app developers from selling personal and sensitive user data, developers are required to only handle data for purposes directly related to the use of the app, and any data collected must be handled securely. A new data safety section has now been added that developers can use to provide app users with more information about how their apps collect, share, and secure user data.

Users of Google Fit and Fitbit have access to tools that allow them to easily access and control their personal data, including the option to change or delete their tracking data as they see fit. “Fitbit users who have chosen to track their menstrual cycles in the app can currently delete menstruation logs one at a time, and we will be rolling out updates that let users delete multiple logs at once,” explained Google.

Google has also clarified its position regarding law enforcement demands for user data. “We take into account the privacy and security expectations of people using our products, and we notify people when we comply with government demands, unless we’re prohibited from doing so or lives are at stake — such as in an emergency situation,” explained Google in a recent blog post. “We remain committed to protecting our users against improper government demands for data, and we will continue to oppose demands that are overly broad or otherwise legally objectionable.”

The post Google Announces New Measures to Protect User Privacy on Healthcare Matters appeared first on HIPAA Journal.

Senators Question Mental Health App Providers Questioned About Privacy and Data Sharing Practices

Posted by HIPAA Journal

Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) have written to two leading mental health app providers and demanded answers about their data collection and sharing practices.

There have been multiple reports that the mental health apps provided by Talkspace and BetterHelp are collecting, mining, and disseminating private client information to third parties, including big tech firms such as Google and Facebook. During the COVID-19 pandemic, the use of mental health apps grew rapidly. The apps offered an alternative to traditional face-to-face therapy, with the app developers themselves marketing the apps as a cost-effective alternative to traditional therapy.

While therapists may be required to comply with the Health Insurance Portability and Accountability Act (HIPAA), mental health apps fall into a gray area and are not generally covered under HIPAA, which means that the restrictions on uses and disclosures of protected health information under the HIPAA Privacy Rule do not apply to many mental health apps.

Users of those apps may not understand that any information collected, stored, or transmitted through the apps may be shared with third parties. Consumers may mistakenly believe that HIPAA applies to these apps because if the same data were to be collected by a healthcare provider – a HIPAA-covered entity – the information would be classed as protected health information and the HIPAA Rules would apply. However, most app developers, including mental health app developers, are not HIPAA-covered entities and are generally not even business associates. The developers of those apps should explain clearly in their privacy policies about any uses or disclosures of users’ information, but privacy policies are often unclear.

“We have long been concerned about the misuse of personal data by Big Tech companies and unscrupulous data brokers, especially for the purpose of microtargeting vulnerable populations,” explained the Senators in their letter to BetterHelp and Talkspace. “Unfortunately, it appears possible that the policies used by your company and similar mental health platforms allow third-party Big Tech firms and data brokers, who have shown remarkably little interest in protecting vulnerable consumers and users, to access and use highly confidential personal and medical information.”

Earlier this year, researchers at Consumer Reports’ Digital Lab investigated 7 mental health apps, including the apps provided by Talkspace and BetterHelp. Using specially programmed Android devices, the researchers tracked which third-party companies received data from the apps and checked whether privacy settings were on or off by default. The researchers found that the apps behaved like many other consumer apps, and shared unique IDs associated with individual smartphones which can be used by big tech companies to track what people do across many different apps. When combined with other data, users can be served targeted ads.

An investigation in February 2020 found BetterHelp was sharing analytics data with Facebook, which included how many times the app was opened and metadata from every message, including data on how long and where users were accessing mental health services. Former employees of Talkspace claimed that treatment transcripts were viewed as a data resource to be mined, and individual users’ anonymized conversations were routinely reviewed and mined for insights to help the company with research and marketing tactics.

The Senators have raised concerns about the use of anonymized data, as that information could be combined with other data to identify individuals. The Senators referred to a 2019 study that found anonymized data that included only a zip code, gender, and date of birth would allow an individual to be identified in 81% of cases.

The senators have asked both companies questions about the types of data collected, the extent of data sharing with third parties, the methods used to protect clients’ information, and how potential clients and current users are informed about the privacy policies and the risks associated with sharing data. The companies have been given until July 6, 2022, to respond.

The post Senators Question Mental Health App Providers Questioned About Privacy and Data Sharing Practices appeared first on HIPAA Journal.