Tracking Technologies and HIPAA
In December 2022, OCR issued a Bulletin outlining health providers’ HIPAA obligations. An important aspect of this overview emphasizes that providers are not allowed to use tracking technologies in a way that would reveal Protected Health Information (PHI) in a manner inconsistent with HIPAA’s privacy standards. Additionally, even individuals or entities not subject to HIPAA are expected to safeguard PHI in accordance with the FTC Act and the FTC Breach Notification Rule.
While this Bulletin was issued at the end of 2022, OCR and the FTC jointly issued a letter to over 130 companies in mid-2023 to notify them of these obligations, drawing widespread notice within the healthcare industry and broader business community.
What the Guidelines Mean
In practical terms, OCR (Optical Character Recognition) essentially determines that certain data collected, transferred, and stored by tracking technologies falls under the category of electronic Protected Health Information (ePHI) as defined by HIPAA (Health Insurance Portability and Accountability Act). While these platforms may not gather test results, information such as email addresses and IP addresses can be considered ePHI when linked to medical data.
Additionally, OCR specifies that when a healthcare entity subject to HIPAA collects such information, like when a potential patient seeks services in their area, that data is classified as Protected Health Information (PHI). However, as this data is inherently shared with Google employees without direct consumer consent and stored in Google’s undisclosed locations, healthcare providers who use Google Analytics are not in compliance with their privacy obligations under HIPAA.
In fact, Google Analytics explicitly states in its Terms of Service that it is not HIPAA compliant and should not be used to collect any information that falls under the definition of PHI according to HIPAA.
The American Hospital Association is urging Congress to reconsider this rule, arguing that the definition of PHI in this context is too broad and negatively impacts the quality of healthcare services. Additionally, this rule has implications for the utilization of mapping and location technologies that assist the public in identifying the nearest and most optimal services available.
However, despite these concerns, the current obligations remain in effect and healthcare providers must adhere to them. Consequently, covered providers and business associates under HIPAA are hesitant to use platforms like Google Analytics, Meta Pixel, or Google Ads that collect PHI.
Providers now have the ability to leverage Google Analytics without disclosing any PHI.
By anonymizing IP addresses, avoiding the storage of visitor IDs, refraining from tracking GPS information, and disabling third-party scripts that track PHI, among other methods, you can ensure compliance. Handling PHI requires thoroughness, as violations can result in significant fines, reaching up to five figures per incident.
State Patient Privacy Laws in 2024
Healthcare providers, as well as business associates under HIPAA, are likely familiar with state laws concerning patient privacy. In recent years, California, Colorado, Connecticut, and Virginia have implemented data privacy laws that have implications for the use of PHI. It is worth noting that the Utah Consumer Privacy Act will come into effect on December 31, 2023. This legislation applies to organizations with a gross revenue of $25 million or more that process data from 100,000 consumers.
For organizations that primarily generate revenue from selling data, the data processing threshold is set at just 25,000 consumers. It is important to mention that HIPAA-covered entities are exempted from this state law.
In addition to these states, several more have privacy laws set to go into effect in 2024.
- Florida: The Florida Digital Bill of Rights, which takes effect July 1, 2024, has a fairly high threshold for the businesses it covers. Covered businesses must make $1 billion or more and either make more than 50 percent of their revenue from selling data, operate an app store with at least 250,000 apps, or operate a voice-activated virtual assistance service tied to a cloud computing system.
- Montana: In contrast, the Consumer Data Privacy Act in Montana imposes a relatively low threshold for organizations that fall under its scope. These organizations are required to process data from 50,000 or more consumers, and this threshold is further reduced to 25,000 if the organization generates at least a quarter of its revenue from selling data. The effective date for this act is October 1, 2024.
- Oregon: The Oregon Consumer Privacy Act applies to organizations that handle data from a minimum of 100,000 consumers, or 25,000 or more if the organization generates a quarter of its revenue from selling such data. This legislation will come into effect on July 1, 2024.
- Texas: The Texas Data Privacy and Security Act covers all businesses except those defined as small businesses by the U.S. Small Business Administration. Like Florida’s and Oregon’s laws, it takes effect July 1.
- Washington: The State of Washington My Health My Data Act will be effective March 31, 2024. It specifically pertains to organizations that store, collect, and transfer health data.
Every law includes a provision for HIPAA-covered entities, yet providers may still violate state laws if they engage third-party vendors who handle PHI (Protected Health Information) but do not meet the criteria of a business associate under HIPAA.
Is the United States Moving Towards a Federal Data Privacy Act?
As data privacy laws currently stand, they are a complex mix of federal and state regulations, often specific to different industries. Recognizing the need for a comprehensive federal data privacy law, Congress introduced a bipartisan bill called the American Data Privacy and Protection Act (ADPPA) in 2022. Although it gained some traction, it ultimately failed to pass before the legislative session ended. However, there is a possibility that it may be reintroduced in 2024. Notably, ADPPA aims to regulate the use of health data collected by companies not covered by HIPAA, such as those that sell fitness trackers.
Even if ADPPA does not move forward in the 118th Congress, it is possible that certain data privacy changes may still be implemented through the Data Privacy Act of 2023. This bill seeks to update the provisions of the Gramm-Leach-Bliley Act to ensure its alignment with new technology standards. Additionally, the Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act is another bill worth mentioning, particularly for healthcare providers. It specifically addresses the collection of health data by entities not covered by HIPAA and imposes restrictions on its usage without user consent.
These potential laws are merely the beginning of a much larger issue. By 2025, Iowa, Tennessee, and Indiana will have enacted data privacy laws, with many other states actively working on their own versions. As technology continues to advance, new applications for protected health information (PHI) will arise that current laws have not yet addressed. Meanwhile, legal challenges will shape the future of how providers and businesses approach data privacy.
Staying compliant with this ever-changing legal and regulatory landscape is crucial. It’s equally important for your organization to be prepared for compliance. Transitioning from paper to electronic data collection may already be underway in various areas of your organization. However, you must ensure that your data collection, storage, and transfer processes meet HIPAA standards, ensuring security, operational efficiency, and a seamless experience for consumers.
While implementing this level of digital transformation may present challenges for providers, it is essential for delivering high-quality healthcare in the digital age.