Health Care Alert: New Year's Resolution #1 - Review Your Patient-Facing Web and App Platforms

As we wind down the year, we look (briefly) to lessons learned, achievements, and other successes and plan and re-group for another successful year. Top of mind for health care providers in your 2023 plans should already be cybersecurity. Cybercrime is here whether we like it or not. In fact, the Office of Civil Rights (OCR), the enforcement agency of HIPAA laws, recognizes this too and is pushing providers to lock down their protected health information (PHI) on their patient-facing (or potential patient) web and mobile app platforms.

In its recent bulletin, OCR addresses specifically tracking technologies and their use by HIPAA-regulated entities—known as covered entities and business associates. For most businesses, healthcare included, tracking technologies are a common tool used by website hosters and mobile app platforms to track the activities of users who visit their sites and use their apps. In short, they track information about each visitor or user including click-paths, IP addresses, mobile device information, geolocation and more through various tools such as cookies, web beacons, and tracking codes embedded in mobile apps. On most websites, users can learn about this by clicking on the site’s “Privacy Policy” or “Terms and Conditions” links, which are located most commonly in footers of websites or in a pop-up, to acknowledge the terms and conditions—the “I Agree” button.

In this hyper digital age, most users are desensitized to the collection of their data because it is nearly impossible to navigate online without consenting to such use. However, OCR just released specific guidance to HIPAA-regulated entities taking the position that the collection of this tracking data may constitute PHI and therefore requires certain HIPAA-compliant safeguards.

Certainly, a patient portal site is going to fall squarely within this scenario, but what about your business’s general information website or mobile app? While users may not enter their medical record numbers, dates of birth, addresses or other information, OCR reasons that even an IP address or geolocator is PHI, and more importantly even if the individual does not have an existing relationship with a regulated entity. Citing the fact that although any one of these data points may not identify a particular individual, the combination of several data points coupled with their online lingering or interest in certain of a health care providers’ information, such as the cardiology page, is sufficient to link the individual to a health condition. Thus, even the general health care business website may be collecting PHI from non-patients!

All is not lost, however, if your health care entity uses such tracking technologies. First, there is a question about whether such data constitutes PHI under this new guidance. If it does, then under HIPAA, to collect, store or process PHI, a covered entity or business associate must have the proper safeguards in place and/or have a patient’s consent. This includes ensuring the vendor who provides the tracking technology accepts their role as a business associate under HIPAA and agrees to comply with the appropriate safeguards. If the vendor is not a business associate or refuses such role, then the users’ consent will be required to collect such data from them. In that case, considerations for click-wraps and other affirmative consent pop-ups are options which force the users to give their consent prior to using the site and/or accepting certain terms of use.

There is a lot to unpack here, much of which will involve engaging your IT team to understand first, where and whether your health care business uses tracking technology. Second, identify the vendors and what they are tracking. Third, analyze that business relationship and implement the necessary HIPAA requirements to protect that data. Lastly, add this to your 2023 Compliance Plan worklist.

I am happy to partner with you in this analysis. If you have questions about data privacy and HIPAA, please contact me.

Wishing you and your family a happy New Year.