The federal Office for Civil Rights (OCR) is warning physicians about privacy requirements when using online tracking technologies.
In December 2022, OCR issued a bulletin to highlight obligations related to regulated entities under HIPAA when using online tracking technologies such as Google Analytics or Meta Pixel. This is the first time a specific alert has been issued to physicians over the use of technology platforms.
The bulletin addresses potential impermissible disclosures of ePHI by HIPAA regulated entities to online technology tracking vendors. It suggests steps that regulated entities should take to protect ePHI when using tracking technologies.
“We are in for quite a few changes in the coming months with a number of updates,” said Katina Michael, PhD, the director of the Society Policy Engineering Collective at Arizona State University in Tempe. “We always note that technology moves far ahead of regulation, and this can be said particularly for health-related innovations.”
These technologies collect and analyze information about how to interact with a regulated entity’s website or mobile application. Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors. Some may be doing so in a way that violates HIPAA rules by causing impermissible disclosures of ePHI to tracking technology vendors.
Text-based medicine is gaining significant momentum, a trend fueled by the ongoing COVID-19 pandemic. “People are more willing to entertain the idea of gaining access to a medical professional ‘on demand’,” Dr Michael said. “One of the major changes being witnessed is how to book a doctor or dentist or optometrist in your medical insurer’s network. On top of scheduling apps, we now have the ability to receive phone consultations, especially if we have COVID-like symptoms and need treatment.”
Text-based medicine allows greater access to care options, Dr Michael said. Patients can consult with clinicians over their smartphones, an attractive feature for individuals who do not want to or cannot travel for an in-person visit.
There is a growing concern about new laws that may hamper this trend in medicine. Physicians can answer general questions, and even a transcript of the conversation can be retained for follow-up. “This might be a great method for chronic sufferers and this kind of patient-physician exchange can provide for transparency and accountability. However, privacy issues are fraught. Increasingly we have seen data breaches of not just medical offices, but also major health insurers,” Dr Michael said.
A data breach can allow a cybercriminal the ability to gain access to transcripts of text-based correspondence between a physician and a patient. The data could become available on the dark web. The breach could involve a patient who is a pilot dealing with anxiety or a female physician experiencing postnatal depression but still wishes to practice. “The range of scenarios is endless,” Dr Michael said. “The question becomes, is one’s right to privacy guaranteed through this kind of medical service offering? The answer is no, it cannot be.”
“HIPAA governs how your data are used by providers and health insurers, but does not govern what individuals do with their data,” said Kevin Schulman, MD, Professor of Medicine at the Clinical Excellence Research Center at Stanford University, Palo Alto, California. “To me, the issue is not laws but consumer awareness that they can now determine whom to share their data with, and should be sure that their apps and services are trusted vendors.” For example, sharing personal medical histories and posting medical charts online is common, but consumers may not fully understand their personal implications of these postings.
That said, HIPAA is intended to protect patients from the misuse of their data by provider organizations. “Providers selling our data for advertising, directly or indirectly through trackers is exactly what HIPAA was intended to prohibit,” Dr Schulman said.