By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure
You go to a website and begin looking around for a healthcare product. In the current times, that can mean searching for a prescription drug that is not permitted in certain states or trying to get easier access because going to a doctor’s office doesn’t fit in with a busy or really many regular schedules. Regardless, no matter the type of service or product that might be wanted, a website is the first place to go to look for information and likely order what is wanted.
What information is captured on that website though? That is likely not something anyone thinks about before going to any website. Recent revelations show that the question does need to be asked though, although arguably more importantly by whoever is operating the website.
Tracking Tools
Tracking tools are ubiquitous on websites and collect reams of data that create a number of rabbit holes that can cause problems by subverting privacy. The impact is especially problematic in healthcare given the sensitivity of the information about an individual’s health and conditions.
What is a tracking tool though? A tracking tool collects information about each individual visiting the site or using the application where it is embedded. The types of information collected are influenced by the nature of the tool. Information can be anonymous, identifiable, or a combination of the two.
Examples of tracking tools include cookies, web beacons, pixel trackers, and replay scripts. The aim of the tools is to gather information about the user to make a browsing or user experience more personalized or to learn what engagement approaches are effective.
The tracking tools may make the information collected available only to the person or entity using the tool or the information could also be fed back to whoever created the tracking tool or another third party. It is when information is sent to a third party that complications really arise for healthcare.
Are Tracking Tools an Actual Healthcare Problem?
The quick answer is a resounding yes. A couple of recent revelations underscore that fact.
A more recent example comes from an article on ProPublica about information being passed to Google by websites enabling access to abortion pills. As one would expect, individuals going to those websites are likely in an uncertain position and want their privacy protected. However, tools found on the websites included Google Analytics and advertising technologies. The tools gathered information about clicks, search terms used to find the particular website, and general location and device information. The information gathered could be used to identify individuals. Any of those outcomes would be unexpected and likely not welcome.
The other recent example (though already revealed over half a year ago) was rampant use of Meta Pixel, a tracking tool from Facebook, on both general public websites and inside login walls. In the Meta Pixel example, information was only going to one place, Facebook, but that is a big enough concern by itself.
Why is it a Problem in Healthcare?
The tracking tools may not be bad in isolation, but sharing information with third parties is certainly problematic. Hopefully, fingers really crossed, those in healthcare know that HIPAA sets out rules for the use and disclosure of protected health information (PHI). PHI can be generated and collected when an individual visits the website of an organization subject to HIPAA. Knowing what data could constitute PHI requires an assessment of each situation, but some are obvious, such as logging into a patient portal.
Going with an assumption that an organization is subject to HIPAA, then it must assess all of its operations for coverage under its HIPAA obligations. Part of operating in a compliant way is not using or disclosing PHI in a way not permitted by HIPAA. For tracking tools, that does not automatically mean the tracking cannot occur, but sharing the data may not be ok or a business associate agreement may be required. Unfortunately, many common tracking tools probably are not set up to comply with HIPAA and either will not sign a business associate agreement or could just pay lip service to requirements, which is almost worse than just saying no.
Given all of those intersecting requirements, if one link in the chain is missing, then problems can easily arise and snowball. The snowball will quickly get bigger when the issues are not under consideration and actions are taken before a full assessment occurs. For a bit more detail on the interaction of HIPAA and tracking tools, the Office for Civil Rights published guidance on the topic in December 2022.
The Privacy Gaps
Going with an assumption that organizations will comply with HIPAA when implementing tracking technologies (this is acknowledged to be a big and likely misplaced assumption), there is still a lot of room where sensitive healthcare information can leak out. The example of online pharmacies providing access to abortion pills could be a great example. The website have not been assessed in-depth, but a cursory review finds suggestions that the prescriptions, in some cases, are offered on a direct to consumer (DTC) basis. The DTC basis has individuals paying out of pocket for the service without using insurance. That means the online pharmacy could outside the normal healthcare flow of billing insurance.
Why is being outside the insurance world important? It is important because it factors into whether a healthcare organization is a covered entity subject to HIPAA. A healthcare provider to be a covered entity also transmit healthcare information electronically in a transaction covered by HIPAA, which usually means billing insurance. If an organization only collects payment direct from an individual, then there is a good chance the entity is not subject to HIPAA. If the entity is not subject to HIPAA, then any privacy protection will rest on the good intentions of the organization or state law, if there is an applicable state law. Taking the easier analytical approach of saying that no state privacy law exists, then the organization can essentially do whatever it wants with any data collected, at least if a privacy policy gives bare notice of what could happen. If an organization violates its own stated privacy policy, then a claim could be brought by the Federal Trade Commission.
Reliance on the good intentions of an organization can feel risky to individuals and that is why data are often shared in surprising ways. The gap yet again underscores the need to revisit the scope of privacy regulations and how healthcare services have evolved beyond the original scope contemplated for HIPAA.
Where Will We Go?
Unless or until new legislation is passed or regulations adopted, better attention must be paid to the tools used in constructing or running services and thinking through the permutations of how data are impacted. Blindly assuming that there will be no problems is naive and will lead to breaches, anger, and mistrust. The narrative can be changed, but only with well thought out plans that take privacy seriously.
This article was originally published on The Pulse blog and is republished here with permission.