A top HIPAA-enforcement priority for regulators is cracking down on entities that disclose patient information to third parties without permission through the use of website tracking codes, says Melanie Fontes Rainer, director of the Department of Health and Human Services’ Office for Civil Rights.
“This is a practice we’ve been seeing across the industry,” she said during an interview with Information Security Media Group during the 2023 Healthcare Information Management and Systems Society Global Health Conference and Exhibition in Chicago. “It’s not wrong to say that you want to better understand your patients, your consumers – that’s a good goal. But you also have to make sure you’re protecting the protected health information,” she said.
HHS OCR issued guidance late last year clarifying what regulated entities need to do to ensure their use of tracking codes is permissible under HIPAA, including having a business associate agreement with the tracking code technology firms, she said (see: HHS: Web Trackers in Patient Portals Violate HIPAA). “It’s a priority area. We’re looking into organizations across the country.”
HHS OCR has seen the questionable use of tracking tools by a variety of healthcare and related entities, including those that provide mental health and reproductive health services, she says.
“It is something that is harmful for the patient but is also an end run around HIPAA. So we’re trying to make sure that as technology advances and we try to do more to improve the consumer’s experience, HIPAA can’t be an afterthought.”
HHS OCR’s first enforcement action against tracking-tool related HIPAA violations will be “hopefully soon,” she said. “We want to get this right.”
In this interview with Information Security Media Group (click audio link below photo), Fontes Rainer also discusses:
- The status of rule-making plans for the HITECH Act of 2009’s provision for HHS to distribute money collected from HIPAA breach and violation enforcement actions, such as settlements and civil monetary penalties, with individual victims;
- HHS OCR’s recently proposed rule for changes to the HIPAA Privacy Rule related to reproductive healthcare information disclosures and uses for law enforcement activities (see: HHS Wants HIPAA Changes to Protect Reproductive Health Info);
- The agency’s rule-making plans to better coordinate 42 CFR Part 2 regulations, which pertain to the confidentiality of substance disorder information, with the HIPAA Privacy Rule (see: HHS Rule to Ease Record Sharing, Guard Substance Abuse Data);
- HIPAA breach and violation trends, including the surge in ransomware incident reports and the steady flow of patient right-of-access complaints;
- HHS OCR’s recent internal reorganization aimed at beefing up enforcement activities;
- Other top HHS OCR priorities.
Prior to being named director of HHS OCR in September 2022, Fontes Rainer was counselor to HHS Secretary Xavier Becerra, providing guidance on issues including patient privacy, reproductive health and the Affordable Care Act. Before joining the Biden administration, Fontes Rainer served as the special assistant to the attorney general and chief healthcare advisor at the California Department of Justice. She previously worked in the U.S. Senate as a senior aide and women’s policy director to Chair Patty Murray on the Health, Education, Labor and Pensions and the Budget committees.