What HIPAA Entities Ought to Know

Healthcare teams ought to take into account a number of key factors a few current Texas federal court docket ruling and its impression on the usage of on-line tracker expertise on the healthcare web sites of HIPAA-regulated organizations, stated privateness lawyer Iliana Peters of the legislation agency Polsinelli.

In keeping with Peters, a current Texas federal court docket ruling that says the Division of Well being and Human Companies overstepped its authority in particular provisions of HIPAA guidance involving the usage of on-line monitoring instruments on healthcare web sites could be very slender.

The court docket dominated that the HHS Workplace for Civil Rights was incorrect when it stated that monitoring expertise that captures the IP handle of a person’s machine and matches it with a go to to an online web page that addresses particular well being circumstances or lists healthcare suppliers “is a enough mixture of data to represent individually identifiable well being data” (see: Court: HHS Overstepped HIPAA Authority in Web Tracking Guide).

“The proscribed mixture fails to enhance present privateness protections whereas jeopardizing the dissemination of necessary healthcare data to the lots,” the court docket stated.

HHS OCR issued the steering in December 2022 and up to date it in March. For the reason that June 20 ruling, HHS OCR added a observe to the steering, saying HHS is “evaluating its subsequent steps” in gentle of the court docket’s resolution.

“It is actually necessary for regulated entities to grasp that this adjustments little or no within the steering. In different phrases, sure, we could be much less involved about customers visiting public-facing web sites,” Peters stated, “however the overwhelming majority of actions on these public-facing web sites aren’t merely a go to to the web site, and the data that’s shared with a third-party vendor is not simply IP addresses and the web site handle. A number of different issues are being performed on these web sites.”

“It is such a restricted ruling that it is probably to not change our method in a extremely substantive method within the overwhelming majority of circumstances,” Peters stated.

On this audio interview with Info Safety Media Group (see audio hyperlink beneath picture), Peters additionally mentioned:

• HIPAA issues involving public-facing unauthenticated web sites vs. authenticated web sites, resembling affected person portals;
• State and federal regulatory points involving the privateness of IP addresses and different identifiers;
• Why the current Texas federal court docket ruling is not more likely to have an effect on beforehand reported HIPAA breaches involving the usage of on-line monitoring applied sciences on healthcare web sites.

Peters is a Polsinelli legislation agency shareholder and an lawyer in its nationwide healthcare operations follow. She beforehand spent greater than a decade at HHS OCR and served because the appearing deputy director of well being data privateness and the senior adviser for HIPAA compliance and enforcement. Earlier than becoming a member of the OCR staff in Washington, Peters labored as an investigator in OCR’s Dallas regional workplace.