In December, the Department of Health and Human Services (HHS) issued guidance relating to marketing trackers by HIPAA Covered Entities which is the cause for research and introspection on how and where these technologies are appropriate to use within healthcare digital properties. While many healthcare organizations are adapting to the new guidance, many are still struggling to understand its implications and what they need to do to adapt.
The recent joint letter from HHC and the Federal Trade Commission (FTC) sent to 130 organizations appears reflect their frustration at the slow pace of change resulting from the December guidance and clarifies their expectation that Covered Entities and others dealing with similar sensitive health information are expected to act now to in response to the guidance rather than wait for greater clarity.
This post is the first in a series explaining the guidance, challenges, options, and the areas of uncertainty that have been introduced by HHS.
Interpretations of the December HIPAA guidance vary widely and there is no single agreed standard for compliance. Every organization should seek to establish its own understanding of what is and isn’t acceptable given HIPAA rules today and likely redefinition and expansion of privacy laws inside and outside of healthcare in the future.
Defining PHI in a Digital Marketing Context
HIPAA defines Protected Health Information (PHI) as a subset of health information that (1) Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
In addition, the information needs to be stored electronically at some point during its lifecycle. PHI cannot be shared with organizations or individuals unless they are part of the covered entity or a business associate and only if they have a valid business reason. In addition, PHI can only be used for health promotion purposes, not for marketing.
This definition of PHI is very clear for something like a patient history in an electronic medical record but has always been pretty abstract for most of what we deal with in the realm of digital marketing. When one person sends another a “get well soon” eCard through a covered entity’s website, is that disclosing PHI? If someone interacts with an online banner ad that you’ve created, have you disclosed something by virtue of the information’s capture in an online ad network? If you allow a “schedule appointment” link on a Google My Business (GMB) page, is that a breach?
Can a meaningless ID be used to associate the activity of an anonymous user across sessions? Is a visitor looking at a page of content on your website sufficient to imply the person has that condition? – and so on.
Just as I asked in this blog post from 2016, we still are in need of a better definition of PHI! Where Guidance Fits into the Broader Privacy Conversation
Where Guidance Fits into the Broader Privacy Conversation
This new guidance highlights the changing conversation around privacy, including recent investigative reporting relating to Facebook’s Meta Pixel and new and proposed laws relating to privacy in Europe, California, Utah, and elsewhere. The result is a web of increasingly disjointed, inconsistent privacy laws that are becoming more and more difficult for organizations to navigate.
We are entering an environment where the perception of privacy is changing, leading to greater scrutiny of privacy practices. Things that have always been acceptable in the past need to be reexamined in light of a tighter privacy climate. And there is no single approach that is likely to adequately address all the different philosophies and approaches that may emerge in the future.
Every healthcare organization should be thinking about how, going forward, it will use marketing trackers or other technologies that act in a similar manner to what we traditionally think of as marketing trackers.
The guidance states that it is not changing anything in the law but, rather, seeks to clarify how regulated entities should view these technologies within the lens of HIPAA.
An analysis from the University of Pennsylvania tells a different story, with 98.6% of healthcare organizations sharing data with third-party trackers, it’s clear that the standards presented in the guidance vary meaningfully from the working definitions that the industry has been using for what is and isn’t in context for HIPAA! The guidance does not have the force of law and, unfortunately, by issuing this guidance in the way that they have, HHS has introduced as many questions as they’ve answered.
The new guidance looks at the question in three contexts – mobile apps, authenticated web pages (most commonly within patient portals), and unauthenticated web pages. I will focus on unauthenticated web pages here, as that’s the scope of consumer web properties that we work with at Geonetric and is the area with the greatest confusion and difference of opinion.
What the Guidance Changes
The guidance changes several items from the working definition that the industry has been using for PHI in the context of digital marketing:
IP address is an identifying attribute:
– There are several factors that clearly identify the individual and these must be handled with caution. These include email, name, address, phone number, SSN, medical record number, and others. While IP address has always been one of the “18 HIPAA Identifiers” there are technical reasons why an IP address is often not sufficient to connect an online interaction to an individual, so most organizations haven’t traditionally treated it as such. The guidance clarifies that the IP should be an identifying attribute for the purposes of HIPAA.
All website visitors are presumed to be patients:
– The guidance goes on to share that we must presume that any search or action on a regulated entity’s website “relates to the individual’s past, present, or future health or health care or payment for care”. While this should be a fun argument to pull out next time you’re debating the ROI of web operations with your CFO, we know that the reality is that people visit our online properties for many reasons, and many are not currently and likely never will be patients of our organizations. Nevertheless, the guidance is clear that we must treat them as if they were.
A Range of Reactions
Through our own analysis along with my conversations with dozens of healthcare organizations and their compliance and legal teams, I’ve found a wide range of interpretations of the new rules. The most restrictive interpretations of the new guidance take the position that any user engaging with your digital properties must be assumed to be someone who has received or will receive healthcare services from the covered entity.
It is also stipulated that almost any situation involving an IP address and the URL of a page that a consumer is visiting constitutes PHI, even when viewing an unauthenticated web page.
Other experts latch on to the guidance’s insistence that tracking technologies generally do not have access to PHI from users browsing activities on unauthenticated web pages. It suggests that there is some threshold at which this browsing activity becomes high risk. In the absence of clear direction on where that threshold is, it remains unclear when this data would constitute PHI and, therefore, that we need not consider it to be covered by HIPAA.
It’s my hope that we’ll eventually get clearer, more actionable guidance in the future, either from HHS itself, or as the result of one of the many lawsuits currently facing healthcare organizations in relation to these issues. Even though the guidance doesn’t carry the force of law, it seems prudent to act today to mitigate these risks.
Assessing Risk
Some digital marketing tactics represent a level of risk that nearly every healthcare organization would view as unacceptable. For example, issues with marketing tracking technologies came to light through an investigative report from The Markup in 2022.
Facebook’s tracking technology has an option that improves its ability to connect online interactions back to the individuals engaging with your site for better measurement and to optimize ad performance on Facebook/Meta’s family of websites and apps. With the Attribution Option enabled, the tracking code collected additional information from form submissions and sent that information to Facebook which could include sensitive identification or health-related information.
Likewise, the use of many of these technologies within patient portals or other authenticated online experiences applications presents a high degree of risk in the absence of additional privacy steps.
The guidance gets more confusing when looking at the use of tracking technologies on Covered Entities’ unauthenticated web pages, stating that these “…generally do not have access to individuals’ PHI”.
However, it goes on to suggest that there are some situations where such interactions may include PHI, such as viewing information on a specific condition or symptom, searching for a provider, or making an appointment. Since this is what most healthcare websites are focused on, it’s unclear what threshold must be cleared to present this risk.
Moreover, it is still unclear when the act of reading a page of information or looking at a service or provider page meets the definition of PHI, but this certainly represents more risk today than it did previously. Many healthcare organizations now consider data to be PHI when only a consumer’s IP address and URL are known. That said, any tools that touch live consumer or patient traffic or receive information about such interactions must be carefully considered.
What to Do from Here
Every healthcare organization needs to engage in a risk assessment process related to these issues. Some best practices might include:
- Catalogue every element of your marketing technology stack and review the information that it has access to, if you have a BAA in place with that vendor, and what risk mitigation steps you need to take with them.
- Catalogue every point in your websites, patient portals, apps, and other digital properties where information is sent to third parties. Review each of these as you do the other parts of the marketing tech stack, above.
- Look at each of your marketing tools and partners as your organization does for other software vendors. Most healthcare organizations have a governance process for software vendors used by the IT organization, but many have avoided using that same process for their marketing vendors.
- Review and update the privacy policies on your websites, patient portals, apps, and other digital properties.
If you need assistance with this process regarding your compliance goals and Geonetric Privacy Filter, Geonetric can help. Contact us for a personalized compliance assessment today!
I’m not a lawyer.
Geonetric is not a law firm.
I’m sharing my insights and advice but nothing that I share here should be considered legal advice.