Any healthcare organization that embeds tracking technologies in its website should carefully review whether it is inadvertently violating HIPAA or other federal regulations, said Nick Heesters, senior adviser for cybersecurity at the Department of Health and Human Services’ Office for Civil Rights.
Over the last few months and weeks, HHS OCR and the Federal Trade Commission have warned healthcare firms – whether covered by HIPAA or not – of potential privacy violations caused by web trackers that send sensitive health data to third parties such as social media and marketing firms.
Those warnings have included recent letters jointly sent by the agencies to more than 130 hospital systems and telehealth providers (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).
As far as HHS OCR is concerned, “entities that are going to be using online tracking technologies need to understand what those [tools] are doing in their environments if HIPAA obligations apply – and if they do, ensure that they comply with the HIPAA rules,” he said.
In light of the guidance that HHS OCR issued last December warning about web tracker usage and the recent letters sent to the FTC, organizations should take a close look at their web tracking usage, he said.
The FTC has already taken enforcement actions against a few firms – including online mental health provider BetterHelp and online discount prescription drug company GoodRX – for their potentially unlawful use of web trackers, and HHS OCR is also closely scrutinizing a number of potential HIPAA-noncompliance cases.
“There are no particular dates on when we may see some type of published enforcement, but there are web tracking issues that we’re investigating,” Heesters said.
In the audio interview (see audio link below photo), Heesters also discusses:
- HIPAA-related rule-making and other activities in the works at HHS OCR;
- The latest cybersecurity trends, including the boom in breaches this year involving hacks on vendors of secure file transfer software products;
- Enhancements included in the newly updated HIPAA Security Risk Assessment version 3.4 tool released by HHS OCR and its sister agency, the Office of the National Coordinator for Health IT.
Heesters is an attorney and a certified information privacy professional with over 30 years of experience supporting technology and information security across many diverse industries.