HIPAA Compliance News

What Happens if You Violate HIPAA?

Posted by HIPAA Journal

What happens if you violate HIPAA depends on the nature and consequences of the violation, the motive for the violation, and whether you knew – or should have known – that the violation was indeed a violation. What happens if you violate HIPAA can also depend on if or how the violation is identified.

To help explain the many different factors that can influence what happens when you violate HIPAA, we will use as an example a healthcare employee who shares their EHR login credentials in the belief that a junior colleague wants to access a patient´s file in order to phone the patient´s family with an update.

If the junior colleague only uses the login credentials to obtain a phone number and phone the patient´s family with an update – and the patient has not objected to this information being shared with their family – no harm has occurred and there has been no impermissible use or disclosure of PHI.

Nonetheless, although the motive for sharing the EHR login credential is well meaning (and the healthcare employee does not have to stop what they are doing to retrieve the information for the colleague), the action is a violation of HIPAA because each member of the workforce must be assigned a unique user identifier to track user activity when they have access to PHI (§164.312).

What Happens if You Violate HIPAA Like This?

This will depend on whether the violation is identified, how it is identified, and whether either party knew that sharing login credentials is a violation of HIPAA. Possibly one of the worst outcomes from the event is that it is not identified because this may lead to further compliance shortcuts being taken which – if unchecked – could lead noncompliance becoming a “cultural norm”.

If the violation is identified by a senior employee or an alert member of the IT team, it will likely be reported to the compliance officer. What happens then depends on whether either employee has been told that sharing login credentials is a violation of HIPAA via HIPAA training. If so, both could face sanctions depending on the consequences of the violation.

The consequences of the violation can vary between no harm occurring at all to an impermissible disclosure of PHI if, for example, the message was left with a non-family member due to a lack of identity verification. The latter example could lead to the patient making a compliant to the healthcare facility or HHS´ Office for Civil Rights (OCR).

If a complaint is made to OCR, and the agency decides to conduct a compliance review, the consequences could consist of a corrective action plan to prevent login credentials being shared in the future; or, if the violation was attributable to a lack of training, the review could escalate to a full investigation – during which other areas of non-compliance may be identified.

If other areas of non-compliance are identified, the consequences of a well-meaning action could result in the healthcare facility being issued with a civil monetary penalty. Further civil monetary penalties could be issued by a State Attorney General or by a civil court if the impermissible disclosure of PHI resulted in the patient suffering personal harm (i.e., identity theft).

Criminal Penalties for Sharing Passwords in Violation of HIPAA

In addition to sanctions, the healthcare worker and the junior colleague could also face criminal penalties if their employer has a policy prohibiting the sharing of login credentials. This is because “a person who knowingly […] uses or causes to be used a unique health identifier […] shall be considered to have obtained or disclosed individually identifiable health information without authorization” – an offence under §1177 of the Social Security Act.

In this case, the healthcare worker “caused” the login credentials to be used by sharing them with the junior colleague, while the junior colleague “used” them. It is also important that the employer has a policy prohibiting the sharing of login credentials, otherwise the two employees could claim they did not do so knowingly (in which case, the employer could be sanctioned by OCR for failing to conduct a risk assessment and develop policies prohibiting password sharing).

The criminal penalties for sharing passwords in violation of HIPAA depend on the motive for knowingly and wrongfully disclosing individually identifiable health information. Just doing it could, in theory, attract a fine of up to $50,000 and a jail sentence of up to a year. In the event that the junior colleague obtained the patients health information and disclosed it someone else, they could receive:

  • A fine of up to $100,000 and up to five years in jail if the offense was committed under false pretenses, or
  • A fine of up to $250,000 and up to ten years in jail if the offense was committed to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm.

While it might seem this is an extreme example of what happens if you violate HIPAA, it is important to be aware the laws exist that enable these consequences to transpire. Therefore, it is important for HIPAA Covered Entities and Business Associates to conduct comprehensive risk assessments, develop policies to mitigate risks from all foreseeable threats, and train all members of the workforce on the policies. Thereafter, it is important for workforces to comply with the policies.

What Happens if You Violate HIPAA? FAQs

Do other types of HIPAA violations have the same consequences?

All violations of HIPAA that contravene an employer´s HIPAA policies will likely attract sanctions, while those that result in a complaint being made to OCR could result in enforcement action. Violations that involve the knowing and wrongful disclosure of PHI have to be notified by a Covered Entity to OCR, who then review the case and refer it to the Department of Justice.

Is it only Security Rule violations that attract sanctions?

No. While the scenario above relates to a Security Rule violation, the violation of any Privacy Rule policy that results in the knowing and wrongful disclosure of PHI could have the same outcome. The important consideration is whether a policy exists to explain it is a violation, and that the workforce has been informed of the policy – and the sanctions for violating the policy – via HIPAA training.

Why do Covered Entities have to notify violations to OCR?

Under the Breach Notification Rule, Covered Entities have to notify OCR (and affected individuals) when there has been an impermissible disclosure of unsecured PHI. A knowing and wrongful disclosure of PHI qualifies as an impermissible disclosure of unsecured PHI because the Covered Entity has no control over how the disclosed PHI will be further used or disclosed.

Why might a patient complain if they have consented to family members being contacted?

If the patient has consented to family members being contacted, but individually identifiable health information is disclosed to a third party, the patient could complain the disclosure is a violation of their privacy rights. Consequently, it is important healthcare professionals verify the identity of the person they are speaking with before disclosing Protected Health Information.

Has anybody ever been jailed for violating HIPAA?

Yes. The following links are just a few examples of employees receiving custodial sentences for impermissibly obtaining and disclosing Protected Health Information.

The post What Happens if You Violate HIPAA? appeared first on HIPAA Journal.

Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty

Posted by HIPAA Journal

Avalon Healthcare has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws with the Oregon and Utah Attorneys General that were uncovered during an investigation of a 2019 breach of the personal and protected health information of 14,500 of its employees and patients.

Avalon Healthcare is part of the Avalon Health Care Group and provides skilled nursing, therapy, senior living, assisted living, and other medical services throughout Oregon, Utah, California, Nevada, Washington, and Hawaii. In July 2019, an employee responded to a phishing email and disclosed credentials that allowed an email account to be accessed by unauthorized individuals. The account contained sensitive information such as names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, and some financial information. It took 10 months from the date of the breach for the incident to be reported to the HHS and state attorneys general, and for affected individuals to be notified.

Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes launched an investigation into the data breach that focused on the email security practices at Avalon Healthcare and compliance with the HIPAA Security and Breach Notification Rules and state data breach notification statutes. The HIPAA Breach Notification Rule requires notifications to be issued about breaches of protected health information without undue delay and no more than 60 days from the date of the breach. In Oregon, data breach notifications must be issued in the most expeditious manner, and no later than 45 days after the date of discovery of the breach. The investigation uncovered potential violations of the Oregon Unlawful Trade Practices Act and HIPAA with respect to breach notifications and data security. Avalon Healthcare agreed to settle the case to avoid further controversy and expense.

Under the terms of the settlement, Avalon Healthcare has agreed to comply with the requirements of state laws and HIPAA and will develop, implement, and maintain an information security program that includes reasonable data security practices to ensure all personal information and protected health information is adequately protected. An individual will be designated as having overall control of the information security program and a HIPAA compliance officer will be appointed. The information security program will include logging and monitoring of the network, multi-factor authentication, email filtering, and at least twice-yearly security awareness training for the workforce. Security awareness training must cover phishing and social engineering, and include phishing simulation exercises. Avalon Healthcare has also agreed to develop, implement, maintain, and test a data incident response plan and to implement and maintain a risk assessment and risk management program. Avalon Healthcare will also revise its email data retention policies to ensure that data is only kept in email accounts for as long as there is a legal basis to retain the information and all emails containing PHI will be encrypted.

In addition to the commitment to compliance with HIPAA and state laws, Avalon Healthcare will pay a $200,000 financial penalty, which will be split equally between the Oregon and Utah state attorneys general and will be used to pay for legal fees, investigation costs, and the future enforcement of compliance with HIPAA and state laws.

“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” said Attorney General Rosenblum. “Avalon dealt with the personal health-related information of some of our most vulnerable residents. Close to 2,000 Oregonians assumed—incorrectly—their information was safe with Avalon. Data breaches continue to be a problem in Oregon, and we are committed to working with companies to make sure they have the highest data privacy safeguards in place.”

The post Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty appeared first on HIPAA Journal.

November 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

November was a relatively quiet month for healthcare data breaches with 31% fewer breaches reported than the previous month. November’s total of 49 breaches of 500 or more records was also well below the 12-month average of 58 breaches a month. 643 healthcare data breaches have been reported to the HHS’ Office for Civil Rights so far in 2022, which makes this year the second worst year to date for healthcare data breaches.

Despite the fall in reported breaches, the number of breached records increased by 10% from October. November was the worst month of 2022 in terms of the number of breached healthcare records, with 6,904,441 records exposed or impermissibly disclosed – Well above the 12-month average of 3.99 million records a month. So far in 2022, 44,852,648 healthcare records have been breached.

Largest Healthcare Data Breaches in November

17 breaches of 10,000 or more records were reported to OCR in November, five of which involved more than half a million records and three incidents involved the impermissible disclosure of more than 1 million records. The largest data breach was a hacked network server at the Pennsylvania-based business associate Connexin Software – A provider of electronic medical records to pediatric practices. An unauthorized individual gained access to an offline set of patient data that was used for data conversion and troubleshooting. The records of 2,216,365 patients were exposed and potentially stolen.

The Indiana-based healthcare provider, Community Health Network, reported an impermissible disclosure of the protected health information of up to 1.5 million patients. Tracking code had been added to its website that resulted in patient information being transferred to third parties such as Meta and Google, without obtaining consent from patients or having a business associate agreement in place. Several healthcare providers have reported similar breaches this year, prompting OCR to issue a warning to HIPAA-regulated entities this month over the use of tracking technologies on websites and mobile applications.

Doctors’ Center Hospital in Puerto Rico suffered a ransomware attack that exposed the protected health information of up to 1,195,220 patients. Major ransomware attacks were also reported by the Michigan-based prosthetics and orthotics provider, Wright & Filippis, and Health Care Management Solutions in West Virginia.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Data Breach
Connexin Software, Inc. PA Business Associate 2,216,365 Hacking/IT Incident Hacking of network server
Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Unauthorized Access/Disclosure Website tracking code transmitted PHI to third parties
Doctors’ Center Hospital PR Healthcare Provider 1,195,220 Hacking/IT Incident Ransomware attack
Wright & Filippis LLC MI Healthcare Provider 877,584 Hacking/IT Incident Ransomware attack
Health Care Management Solutions, LLC WV Business Associate 500,000 Hacking/IT Incident Ransomware attack on subcontractor of CMS business associate
Gateway Rehabilitation Center PA Healthcare Provider 130,000 Hacking/IT Incident Hacking of network server
Mena Regional Health System AR Healthcare Provider 84,814 Hacking/IT Incident Hacking of network server
Dallam Hartley Counties Hospital District TX Healthcare Provider 69,835 Hacking/IT Incident Hacking of network server (data theft confirmed)
Consumer Directed Services in Texas, Inc. TX Healthcare Provider 56,728 Hacking/IT Incident Hacking incident at a business associate
Stanley Street Treatment and Resources, Inc. MA Healthcare Provider 45,785 Hacking/IT Incident Hacking of network server (data theft confirmed)
South Walton Fire District FL Healthcare Provider 25,331 Hacking/IT Incident South Walton Fire District
Rosenfeld VanWirt, PC PA Business Associate 18,719 Hacking/IT Incident Hacking incident affecting multiple affiliates of the Lehigh Valley Health Network
CCA Health Plans of California, Inc d/b/a CCA Health CA CA Health Plan 14,631 Hacking/IT Incident Hacking of network server (data theft confirmed)
CareFirst Administrators MD Health Plan 14,538 Hacking/IT Incident Phishing attack on business associate
Work Health Solutions CA Healthcare Provider 13,157 Hacking/IT Incident Phishing attack
New York-Presbyterian Hospital NY Healthcare Provider 12,000 Hacking/IT Incident Hacking of network server
Epic Management LLC TN Healthcare Provider 10,862 Hacking/IT Incident Unauthorized email account access

Causes of November Data Breaches

All but one of the 17 data breaches of 10,000 or more records were due to hacking incidents, several of which were ransomware attacks. Many hacking incidents involve ransomware, although it is common for HIPAA-regulated entities not to disclose the exact nature of these attacks. It is therefore difficult to determine the extent to which ransomware is used in cyberattacks on the healthcare industry. 5,374,670 records were exposed or stolen in these hacking incidents – 77.8% of all records breached in November. The average breach size was 134,367 records and the median breach size was 7,158 records.

There were 8 unauthorized access/disclosure incidents reported that involved the records of 1,521,788 individuals. The majority of those records were impermissibly disclosed by one healthcare provider. The average breach size was 190,224 records and the median breach size was 2,275 records.  There was also one theft incident reported involving the records of 7,983 individuals. In the majority of reported incidents, the breached protected health information was located on network servers. There were also 7 incidents involving breaches of email data, and four incidents involving electronic health records.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entities in November, with 26 reported breaches, one of which occurred at a business associate but was reported by the healthcare provider. 6 data breaches were reported by health plans, with one of those breaches occurring at a business associate. Business associates self-reported 17 breaches in November. The pie chart below shows the breakdown of data breaches based on where they occurred, rather than the entities reporting the data breaches.

Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities in 18 states and Puerto Rico. Pennsylvania was the worst affected state with 12 breaches, which involved 34.8% of the month’s breached records. 10 of those breaches were due to a hacking incident involving healthcare providers that are part of the Lehigh Valley Health Network. HIPAA-regulated entities in California reported 6 breaches, but these were relatively minor, only involving the protected health information of 41,382 patients.

State Breaches
Pennsylvania 12
California 6
Florida & New York 4
Texas 3
Arkansas, Connecticut, Indiana, Maryland, Massachusetts & Tennessee 2
Georgia, Michigan, New Jersey, Nevada, Oregon, Washington, West Virginia, and Puerto Rico 1

HIPAA Enforcement Activity in November

No civil monetary penalties or settlements were announced by OCR in November. Even so, 2022 has seen more HIPAA enforcement actions than in any other year since OCR was given the authority to enforce HIPAA compliance. The majority of the financial penalties in 2022 have been imposed for violations of the HIPAA right of access, and 55% of the year’s enforcement actions over HIPAA violations were on small healthcare providers.

In November, the state of Massachusetts announced that Aveanna Healthcare had been fined $425,000 for a breach of the PHI of 166,000 individuals, 4,000 of whom were Massachusetts residents. Aveanna Healthcare had suffered a phishing attack, with the Massachusetts Attorney General discovering a lack of safeguards such as multi-factor authentication and security awareness training.

The post November 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Proposes New Rule to Implement HIPAA Standards for Healthcare Attachments and Electronic Signatures

Posted by HIPAA Journal

The Secretary of the Department of Health and Human Services (HHS) has proposed a new rule that will require the adoption of standards for healthcare attachments transactions and electronic signatures used in conjunction with those transactions to support healthcare claims and prior authorization transactions. The new rule will implement the requirements of the Administrative Simplification Requirements of HIPAA and the Affordable Care Act and will apply to all health plans, healthcare clearinghouses, and healthcare providers that currently lack an efficient, uniform method of sending attachments.

Currently, when making coverage decisions about healthcare services, health plans often require additional information that cannot be added to the specified fields or data elements of the adopted prior authorization request or healthcare claims transaction. Currently, this information is sent through the mail or by fax and is subject to manual processes that consume considerable time and resources. At present, there are no adopted HIPAA standards, implementation guides, or operating rules covering healthcare attachments or electronic signatures. The proposed rule will support electronic transmissions of this type of information.

“We believe that the health care industry has long anticipated the adoption of a set of HIPAA standards for the electronic exchange of clinical and administrative data to support electronic health care transactions, such as prior authorization of services and claims adjudication, and the standards we are proposing to adopt are an important step in reducing provider burden,” explained the HHS.

The Administrative Simplification Rules of HIPAA called for standard-setting organizations (SSOs) to develop standard code sets for electronic healthcare transactions, and some of these have previously been implemented as part of the Transactions and Code Sets final rule. A rule was also proposed in 2005 – The HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule – that required the adoption of standards for health care claims attachment standards for specific service areas, including ambulance services, clinical reports, emergency department, laboratory results, medications, and rehabilitation services; however, based on the comments received, the HHS chose not to finalize that rule.

The American Hospital Association (AHA) has announced its support for the proposed rule and the adoption of a new HIPAA standard for attachments and electronic signatures, as this will ease the burden on providers,/ Currently, the lack of a HIPAA standard for attachment transactions slows down claims processing, leading to delays to payments and patient care, and contributes to provider burnout. “The AHA supports establishing a standard for attachments to reduce the administrative burdens facing clinicians, and we look forward to providing robust commentary after analyzing the rule’s specifics,” said Terrence Cunningham, AHA director of administrative simplification policy.

The proposed rule is scheduled to be published in the Federal Register on December 21, 2022. Comments on the proposed rule must be submitted by March 21, 2022.

The post HHS Proposes New Rule to Implement HIPAA Standards for Healthcare Attachments and Electronic Signatures appeared first on HIPAA Journal.

Florida Primary Care Provider Fined $20,000 for HIPAA Right of Access Violation

Posted by HIPAA Journal

The Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc. (HSCF), has paid a $20,000 financial penalty to settle a HIPAA Right of Access case with the HHS’ Office for Civil Rights.

OCR launched an investigation in response to a November 22, 2019, complaint from a woman who had not been provided with a copy of her deceased father’s medical records. The initial request was made in writing on August 29, 2019, and an Authorization for Release of Medical Record Information form was provided to HSCF along with a copy of the original Letters of Administration. It took multiple requests and almost 5 months for all of the requested medical records to be provided. The complete set of records was received by the woman on January 27, 2020.

The HIPAA Right of Access requires healthcare providers to provide a copy of the requested medical records within 30 days of the request being submitted. In certain circumstances, a 30-day extension is applicable. OCR determined that the delay in providing the requested records was a violation of the HIPAA Right of Access. In addition to paying a $20,000 financial penalty, HSCF has agreed to undertake a corrective action plan, which involves developing, implementing, and maintaining HIPAA Privacy Rule policies and procedures concerning the HIPAA Right of Access, distributing those policies and procedures to staff members, and providing training on those policies and procedures. HSCF will also be monitored by OCR for a period of two years from the date of the settlement.

“The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. We will continue to ensure that health care providers and health plans take this right seriously and follow the law,” said OCR Director, Melanie Fontes Rainer, announcing the settlement. “Today’s announcement speaks to the importance of accessing information and regulated entities taking steps to implement procedures and workforce training to ensure that they are doing all they can to help patients access.”

The HIPAA Right of Access enforcement initiative was launched by OCR in the fall of 2019. Since then, $2,423,650 has been paid by healthcare providers to resolve HIPAA Right of Access violations in 42 enforcement actions. The fines range from $3,500 to $240,000.

The post Florida Primary Care Provider Fined $20,000 for HIPAA Right of Access Violation appeared first on HIPAA Journal.

OCR Fines California Dental Practice for PHI Disclosures on Yelp

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced a settlement has been reached with a Californian dental practice to resolve multiple HIPAA violations that were identified during investigations of a complaint about impermissible disclosures of protected health information on the review platform Yelp.

New Vision Dental is a Californian general dental practice with offices in South Pasadena and Glendora. On November 29, 2017, OCR received a complaint alleging Dr. Brandon Au, owner and CEO of New Vision Dental, had posted responses to several reviews by patients on Yelp and frequently disclosed protected health information in the responses. In some of the posts, patients were identified and their full names were disclosed, when they had chosen to only use a moniker on the platform. Other information allegedly posted by Dr. Au included detailed information about the patients’ visits, treatment, and insurance, when that information had not been posted publicly by the patients.

The investigation into the impermissible disclosures also included an on-site visit to New Vision Dental. OCR’s investigators were able to confirm that Dr. Au had impermissibly disclosed the protected health information of patients on multiple occasions on Yelp, that the practice did not have the required content in its Notice of Privacy Practices, and had not implemented appropriate policies and procedures concerning protected health information, including the release of protected health information on social media platforms and in public places.

New Vision Dental chose to settle the case and paid a $23,000 financial penalty, has agreed to adopt a corrective action plan to address the aspects of non-compliance identified by OCR, and will be subject to monitoring by OCR for a period of two years.

“This latest enforcement action demonstrates the importance of following the law even when you are using social media.  Providers cannot disclose [the] protected health information of their patients when responding to negative online reviews. This is a clear NO.,” said OCR Director, Melanie Fontes Rainer. “OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”

This is the 21st financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations – more than in any other year since OCR was given the authority to enforce HIPAA compliance.

The post OCR Fines California Dental Practice for PHI Disclosures on Yelp appeared first on HIPAA Journal.

Telehealth Websites are Transmitting Sensitive Health Information to Big Tech Firms

Posted by HIPAA Journal

The private information of visitors to telehealth websites is being shared with big tech companies without user consent due to the use of tracking code snippets on the websites, according to a recent analysis by The Markup.

The websites of 50 direct-to-consumer telehealth companies were analyzed for the presence of third-party tracking code, 49 of which were found to have tracking code that transmitted the information of visitors to third parties, including Meta/Facebook and Google.

The study follows on from an analysis of the websites of the top 100 hospitals in the United States in the summer, which revealed one-third were using tracking code on their websites that was sending data to third parties without consent, valid HIPAA authorizations, or business associate agreements. In a handful of cases, the tracking code was added behind password-protected patient portals.

The latest study of telehealth websites included sites that collect highly sensitive information from visitors, such as the personal and health information of people suffering from Substance Abuse Disorder (SAD) who are seeking treatment. In many cases, the answers to medical questionnaires were also sent to big tech firms from questions relating to that health conditions, medical histories, and drug use.

The report, jointly published by The Markup and STAT, found that 49 of the 50 sites studied transmitted the URLs that an individual had visited, with 35 sites also transferring personal information such as email addresses, phone numbers, and full names. 19 sites recorded and transmitted when the user-initiated checkout, 13 sites sent the answers to questionnaires to third parties, 11 sites sent data confirming when the user had added an item to their cart (such as a treatment plan), and 9 sites transferred the date the user created the account.

The 13 sites that sent questionnaire data were of particular concern, as the answers were to health questions. That information was sent to a variety of companies, including Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, and Pinterest. 25 sites told big tech firms when a user had added an item such as a prescription medication to their cart or checked out with a treatment plan.

All but one of the 50 websites transferred the URLs that a user had visited on the site. The websites provide health and treatment information, so the information detailed on certain pages may be for a specific health complaint. That information is then tied to an individual or a household via an IP address. Amazon Clinic was the only website that did not share website data with third parties.

Potential HIPAA Violations

Healthcare providers are HIPAA-covered entities and disclosures of protected health information are restricted by the HIPAA Privacy Rule. SUD information is also subject to the 45 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records regulations. Recently, the HHS’ Office for Civil Rights published guidance for HIPAA-regulated entities that confirmed that the use of third-party tracking code on websites violates HIPAA if that tracking code collects and transfers protected health information (PHI) to third parties unless the third party qualifies as a business associate under HIPAA. In such cases, a HIPAA-compliant business associate agreement is required before the code can be used. If a third party is not a business associate, HIPAA-compliant patient authorizations are required before that code can be used.

HIPAA applies to healthcare providers, health plans, healthcare clearing houses, and business associates of those entities, but many of the telehealth sites studied operate in a gray area, as the websites are not run by HIPAA-regulated entities or SUD treatment providers, therefore the HIPAA and Part2 regulations do not apply, even though the data collected is the same data that would be classed as PHI or SUD records if collected by a covered entity.

The information collected through these websites is passed on to HIPAA-covered entities and entities covered by Part 2, but the websites themselves are intermediaries and are therefore not bound by HIPAA or the Part 2 regulations. For example, one website run by Cerebral Inc. collected HIPAA-covered data but is not a HIPAA-covered entity. The website passes the information to Cerebral Medical Group, P.A., which is a HIPAA-covered entity. The transfer of data to the big tech firms occurred before the transfer to the Cerebral Medical Group, P.A.

WorkIt Health provides healthcare services including SUD treatment. Its website states in its Notice of Privacy Practices (NPP) that, “You are receiving this NPP because you are or intend to receive health care services from a Workit Health Clinic… Each Workit Health Clinic together designates themselves as a single Affiliated Covered Entity (“ACE”) for purposes of compliance with HIPAA.” However, the WorkIt website had trackers from Google, Facebook, Bing, and Twitter, and transferred URLs, personal information, and answers to questionnaires. The Markup contacted WorkIt Health regarding the findings of the study and WorkIt Health removed the tracking technology from its website and initiated an investigation into the privacy breach.

Visitors to These Websites Expect Privacy

Many healthcare organizations add these tracking technologies to their websites with good intentions, as the technology can provide data that can help to improve the user experience on websites and gauge the effectiveness of marketing campaigns, but the extent to which patient information is being shared is not fully understood.

Individuals who visit these websites are unlikely to be aware that any information they provide directly through answers on web forms and medical questionnaires, and indirectly via the sites they visit, is not being kept private and confidential, and that is a big concern. Many of these sites mention HIPAA and Part 2 in their NPPs, yet the extent to which those regulations apply is unclear. The Markup notes that at least 12 of the studied companies state that they are HIPAA compliant, but that does not necessarily mean that the information provided on the site is kept private or is indeed covered by HIPAA at the point it is collected.

The study shows that there is a trade-off when using these websites. Patients get convenience, but it may come at the expense of their privacy. There is a massive gap in HIPAA, which has not been updated to account for changes in how healthcare is being provided, and there are also suggestions of deceptive privacy practices, albeit in many cases unwittingly deceiving visitors about privacy.

“Sensitive health information is being shared, inadvertently, online every day. Hospital websites, online pharmacies, and health information sites, use a variety of applications (site analytics, links to social media, advertising) that collect and share site visitors’ data, including the healthcare terms and medical conditions that the user is searching,” Ian Cohen, CEO of LOKKER told HIPAA Journal. “For example, in LOKKER’s recent research of over 170,000 websites, we identified the Meta Pixel (Facebook) on over 40% of healthcare sites. Similar data was found about data being shared with TikTok, Snapchat, Pinterest, Microsoft, and Google, as well.” Cohen went on to say, “Not only are consumers and patients unaware that their information is being collected and shared, we believe that the website owners don’t fully understand the extent to which they are sharing data back to the social networks.”

The Markup explained that its researchers did not test all webpages on the sites of the telehealth providers, so the full extent to which tracking code has been used is not known. Tracking code can also be configured differently on different web pages.

It is also unclear what the big tech firms do with the transferred data. Several big tech firms state that they do not allow targeted advertising related to health conditions, although there are ways around that by using closely related terms. Meta, for instance, claims to strip out any data it should not receive and does not provide that information to third-party advertisers. The extent to which that occurs is also unclear. Meta is the subject of several lawsuits over this very matter, some of which allege health data has been used to serve targeted ads to patients whose information was collected through the Meta Pixel code snippet.

Steps Operators of Health Websites Should Take

The HHS’ Office for Civil Rights has made clear in its recent guidance that tracking technology on websites violates HIPAA and that this issue needs to be addressed immediately. HIPAA-regulated entities are required to report any HIPAA violations related to the use of third-party tracking technologies. So far, only a few HIPAA-regulated entities have done so, despite huge numbers having added tracking code to their websites. Even if the websites are not run by HIPAA-regulated entities, the operators of those websites have a moral responsibility to protect the privacy of their visitors with respect to their sensitive health information. Ian Cohen suggests all healthcare organizations should take the following actions:

  1. Take inventory of what data your websites and apps are collecting and if you’re violating your own privacy policy, other privacy laws, or your customers’ trust
  2. Know your partners and ensure they aren’t exploiting your customers’ information
  3. Build customer privacy ‘muscle’ by forming teams that include Marketing, IT, and Legal and establish routines for better data hygiene
  4. Don’t just ask for customer consent for bad practices, re-evaluate how you want to better serve your customers and build trust with every interaction by communicating clearly

The post Telehealth Websites are Transmitting Sensitive Health Information to Big Tech Firms appeared first on HIPAA Journal.

Amazon Ends Support for Third Party HIPAA-Eligible Alexa Skills

Posted by HIPAA Journal

Amazon has announced that it will stop support for third-party HIPAA-eligible skills for its Alexa devices, which means developers will no longer be able to create Alexa skills that collect data covered under the Health Insurance Portability and Accountability Act (HIPAA).

Amazon launched its HIPAA-compliant Alexa feature in April 2019, with skills added for patients of Atrium Health, Boston Children’s Hospital, Cigna, Express Scripts, Livongo, and Swedish Health Connect. The HIPAA compliance support meant healthcare organizations could use Alexa skills that collected HIPAA-protected data and could transmit that information in a HIPAA-compliant way. The decision has now been taken to end that support. HIPAA-eligible skills are now part of the Alexa Smart Properties for Healthcare business unit, and those skills can only be developed with first-party support.

“We regularly review our experiences to ensure we are investing in services that will delight customers. We are continuing to invest heavily in developing healthcare experiences with first and third-party developers, including Alexa Smart Properties for Healthcare,” explained Amazon in a statement.

Amazon has now written to all third-party developers to advise them that support for Alexa 3P HIPAA-eligible skills comes to an end this week and has advised them to remove their HIPAA-eligible skills from the skills store. Any developer that fails to remove the skill from the store will have it removed automatically on December 9, 2022, and the use of that skill will be suppressed. Any protected health information associated with that skill will be deleted and if any user attempts to use a HIPAA-eligible skill after it has been suppressed, they will receive a message that the skill is no longer supported. Amazon has confirmed that it will not be notifying users of the skills directly to advise them that support is ending.

The ending of support for third-party HIPAA-eligible skills does not mean that all healthcare-related Alexa skills will be suppressed, only those that collect protected health information. Any healthcare-related Alexa skills that do not collect data protected under HIPAA will be unaffected.

The post Amazon Ends Support for Third Party HIPAA-Eligible Alexa Skills appeared first on HIPAA Journal.

OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has issued a bulletin confirming that the use of third-party tracking technologies on websites, web applications, and mobile apps without a business associate agreement (BAA) is a HIPAA violation if the tracking technology collects and transmits individually identifiable health information. Even with a BAA in place, the use of the tracking technology may still violate the HIPAA Rules

The bulletin has been issued in response to the discovery earlier this year that Meta Pixel tracking code was being extensively used on the websites of hospitals and that the code snippet transferred data to Meta, including sensitive patient data. These privacy breaches came to light during an investigation by The Markup and STAT, which found Meta Pixel had been added to the websites of one-third of the top 100 hospitals in the United States and, in 7 cases, the code had been added to password-protected patient portals. The study was limited to the top 100 hospitals, so it is likely that hundreds of hospitals have used the code and have – in all likelihood unwittingly – transferred sensitive data to Meta/Facebook without a business associate agreement in place and without obtaining patient consent.

Following the publication of the report, several lawsuits were filed against healthcare providers over these impermissible disclosures, with some plaintiffs claiming the information disclosed on the websites of their healthcare providers had been transferred to Meta and was used to serve them targeted advertisements related to their medical conditions. The news came as a shock to healthcare providers, triggering investigations and recent data breach notifications; however, despite so the widespread use of the tracking code, only a handful of hospitals and health systems have reported the breach and have sent notifications so far. The bulletin from the HHS is likely to trigger a flurry of breach notifications as providers realize that the use of Meta Pixel and other tracking code constitutes a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are commonly snippets of code that are added to websites, web applications, and mobile apps for tracking user activity, typically for determining the journeys of users while using websites and monitoring their on-site interactions. The data collected by these technologies can be analyzed and used to improve the services provided through the websites and applications and enhance the user experience, which benefits patients. While there are benefits to individuals from the use of this code, there is also considerable potential for harm to be caused, as in addition to providing a HIPAA-regulated entity with useful information, the data collected through these technologies is usually transmitted to the vendor.

For instance, if a female patient arranged an appointment on the website of a healthcare provider to discuss the termination of a pregnancy, the tracking technology on the site could be transmitted to the vendor, and subsequently disclosed to other third parties. That information could be provided to law enforcement or other third parties. Information disclosed in confidence by a patient of a website or web application could be transferred to a third party and be used for fraud, identity theft, extortion, stalking, harassment, or to promote misinformation.

In many cases, these tracking technologies are added to websites and applications without the knowledge of users, and it is often unclear how any disclosed information will be used by a vendor and to whom that transmitted information will be disclosed. These tracking technologies often use cookies and web beacons that allow individuals to be tracked across the Internet, allowing even more information to be collected about them to form detailed profiles. When tracking technologies are included in web applications, they can collect device-related information, including location data which is tied to a unique identifier for that device, through which a user could be identified.

All Tracking Technologies Must be HIPAA Compliant

There is nothing in HIPAA that prohibits the use of these tracking technologies, but the HIPAA Rules apply when third-party tracking technologies are used, if the tracking technology collects individually identifiable information that is protected under HIPAA and if it transmits that information to a third party, be that the vendor of the tracking technology or any other third-party. If the tracking technology collects any identifiers, they are classed as protected health information because the information connects the individual to the regulated entity, indicating the individual has received or will receive health care services or benefits from the regulated entity, and that relates to the individual’s past, present, or future health or health care or payment for care.

There is an elevated risk of an impermissible disclosure of PHI when tracking technology is used on patient portals or any other pages that require authentication as these pages usually have access to PHI. If tracking code is added to these pages it must be configured in a way to ensure that the code only uses and discloses PHI in compliance with the HIPAA Privacy Rule, and that any information collected is secured in a manner compliant with the HIPAA Security Rule. Tracking code on unauthenticated pages also has the potential to have access to PHI. The same applies to tracking technologies within a HIPAA-regulated entity’s mobile apps, if it collects and transmits PHI. OCR confirmed that only mobile apps offered by healthcare organizations are covered by HIPAA. HIPAA does not apply to third-party apps that are voluntarily downloaded by individuals, even if the apps collect and transmit health information.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” explained OCR in the bulletin.

The OCR bulleting confirms that if tracking technologies are used, the provider of that code – which includes Meta Platforms (Meta Pixel) and Google (Google Analytics) – would be classed as a business associate and must enter into a business associate agreement (BAA) with the HIPAA-regulated entity before the code can be added to a website or application. The BAA must state the responsibilities of the vendor with respect to the PHI and specify the permitted uses and disclosures of that information. If the vendor will not sign a BAA, PHI cannot legally be provided to that vendor, therefore the code cannot be used or must be configured in a way that it does not collect or transmit PHI. OCR also confirmed that if a vendor states that they will strip out any identifiable information prior to saving or using the transferred data, such a disclosure to the vendor would still only be permitted if a BAA was signed and if the HIPAA Privacy Rule permits such a disclosure.

Other potential violations of HIPAA could occur. If any PHI is disclosed to a vendor, it must be in line with the organization’s privacy policy and be detailed in their Notice of Privacy Practices. It is important to note that simply stating that tracking technology is used in a notice of privacy practices is not sufficient by itself to ensure compliance. In addition to a BAA, any disclosure of PHI for a purpose not expressly permitted by the HIPAA Privacy Rule requires a HIPAA-compliant authorization from a patient, giving their consent to disclose that information. Website banners that ask a website visitor to consent to cookies and the use of web tracking technologies do not constitute valid HIPAA authorizations.

Actions HIPAA-Regulated Entities Should Take Immediately

In light of the bulletin, HIPAA-regulated entities should read it carefully to make sure they understand how HIPAA applies to tracking technologies. They should also conduct a review of any tracking technologies that they are using on their websites, web applications, or mobile apps to ensure those technologies are being used in a manner compliant with the HIPAA Rules. If they are not already, website tracking technologies must be included in a HIPAA-regulated entity’s risk analysis and risk management processes.

It is important to state that a tracking technology vendor is classed as a business associate under HIPAA, even if a BAA is not signed. As such, any disclosures to that vendor would be classed as an impermissible disclosure of PHI without a BAA in place, and the HIPAA-regulated entity would be at risk of fines and other sanctions if PHI is transmitted without a signed BAA.

If during the review a HIPAA-regulated entity discovers tracking technologies are being used in a manner not compliant with the HIPAA Rules, or have been in the past, then the HIPAA Breach Notification Rule applies. Notifications will need to be sent to OCR and the individuals whose PHI has been impermissibly disclosed.

The post OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation appeared first on HIPAA Journal.