Education
Healthcare
Finance
Food & Beverage
Energy & Utilities
Outdoor Recreation
Real Estate
Travel & Tourism
Retail
Branding
Marketing
Production
CRO
Menu
Close
Industries
Services
BlogCareersAbout
let's talk
Tangible Steps for Tackling the December 2022 HIPAA Bulletin
Article
10 min read
|
Posted:
February 22, 2024
In case you didn’t hear, back in December, The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a new guidance bulletin regarding the use of online tracking technologies by covered entities (health plan, health care provider or health care clearinghouse) and business associates under HIPAA. The guidance states some regulated entities could potentially be sharing sensitive information with online tracking technology vendors and such sharing could be unauthorized disclosures of PHI with such vendors. Here are some steps you can take.

What are online tracking technologies?

Tracking technologies are often pieces of code on websites or apps that monitor users behavior as they interact with the website or app. This information is then collected and analyzed by the website owner and/or third parties to draw insights from user behaviors.

What’s considered PHI?

Per the guidance bulletin, PHI would include “individually identifiable health information” (IIHI), such as an individual’s medical record number, home address, email address, or appointment dates, as well as an individual’s IP address or geolocation, medical device ID, or any unique online or mobile identifying code.

What’s covered under the new guidance bulletin?

  • User-authenticated webpages (i.e., when user login is necessary before the user can access the webpage): A covered entity must configure any user-authenticated webpages (i.e. those that utilize user logins) that include tracking technologies to allow such technologies to only use and disclose (and secure) PHI in compliance with HIPAA.
  • Unauthenticated webpages (i.e., publicly-available websites that do not require a user login to access the webpage): Tracking on these webpages is generally not regulated by HIPAA. In some cases, tracking technologies on such unauthenticated webpages may have access to user PHI and may disclose such data to outside vendors, thus triggering the HIPAA Rules.
  • Mobile apps: Information typed in by a user, as well as device level data (location, device ID or advertising ID) collected by a covered entity must comply with HIPAA for any PHI the mobile app uses or discloses. HIPAA rules do not apply to data that users voluntarily enter into “mobile apps that are not developed by or on behalf of regulated entities.”

Step 2: Control what you protect, share, and 
deidentify–without losing the power of individual behavior in your data

Measuring individual behavior is important for marketers to understand and to use to drive the most powerful insights, targeting and optimizations. Creating a mechanism to review and share data that your team needs, and your partners need, to make the most powerful decisions–while protecting user privacy–is critical in deriving the most value out of your consumer data strategy.

Adopting the right data masking and encryption techniques will allow your internal teams, your marketing and agency partners, and your targeting partners access to the information they need to derive the most value from your marketing, patient, research, CRM and other data sources while offering the protection you need to ensure patient privacy is central to your decisions.What are some other ways to plan ahead?

Shorter opt-in windows, greater autonomy and individual privacy control are among the many reasons that health systems are investing in CRM systems that support an opt-in first model.

Download Now

Many systems are now weighing the cost of CRM investment against the risk of a privacy violation and utilizing CRMs as part of their overall mitigation strategy. This patient-centric approach allows for more visibility for patients in what types of health-related information they prefer to receive from provider systems, while offering providers and systems more control and visibility into patient-level targeting strategies.

One key benefit to consider when evaluating systems is integration with digital marketing platforms, visibility into online engagement, and real-time integration of opt-out signals for digital marketing across social channels. CRMs can create segmentation between communication-driven digital outreach that is not considered ‘marketing’, such as communication about products and services covered by a patient’s insurance. CRMs can also serve an important function in creating targeted audience outreach based on health behaviors that can serve as an ETL (Extract, Transfer, Load) solution to build campaign targeting in a secure method that ensures patient data is protected appropriately.

The Lewis Team is available to audit current practices and formulate recommendations for improvements, as well as implement best practices to ensure your patients and your institution remain in compliance with federal guidelines.

*Disclaimer: We are marketers, not lawyers. The information communicated here is meant to provide general guidance. Every healthcare company is unique, requiring tailored data decisions and mechanisms for compliance.

Related Articles
Lewis in Graphis Advertising, Photography 2015.
Article
1 Minute to Read
|
Posted:
March 2, 2015
Lewis profiled in Communication Arts.
Article
2 Minutes to Read
|
Posted:
March 6, 2015