Governance & Risk Management , HIPAA/HITECH , Privacy
Hospital Lobbyists Press Senator on Online Tracking Limits
Sen. Bill Cassidy Considering Sector Feedback on Recent RFIAmerica's largest hospital lobbying group says Congress should pressure health regulators into retracting a warning sent to medical providers advising that online trackers embedded into patient portals could violate medical privacy law.
See Also: Using the Netskope HIPAA Mapping Guide
The American Hospital Association took a request from Sen. Bill Cassidy, R-La., for ideas on how to improve HIPAA as an opportunity to rail against the December 2022 bulletin.
Federal regulators published the missive after major health organizations, following patient backlash, began treating their use of web user tracking code by Facebook and Google as a reportable data breach (see: HHS: Web Trackers in Patient Portals Violate HIPAA). Facebook also faces a putative class action lawsuit over its collection of data through its free tracker, called Pixel (see: Judge Gives Green Light to Meta Pixel Web Tracker Lawsuit).
"Congress should urge OCR to withdraw the rule immediately," the association told Cassidy, referring to the Office of Civil Rights within the Department of Health and Human Services.
Cassidy, the senior Republican on the Senate Health, Education, Labor and Pensions Committee and one of four physicians serving in the Senate, last month issued a request for information seeking input on a wide scope of health data privacy and security issues (see: US Senator Seeks Input on Ways to Protect Patient Privacy).
That included requesting feedback on whether HIPAA should be updated and issues pertaining to enforcement of the regulations; concerns around the collection of biometric, location and genetic data; and questions about the use of artificial intelligence involving patient data.
"We are pleased by the stakeholder engagement and the substantive feedback we've received in response to Senator Cassidy’s white paper," Ty Bofferding, Cassidy spokesman, told Information Security Media Group. "We are still reviewing the responses and evaluating potential policy options going forward."
The College of Healthcare Information Management Executives told Information Security Media Group it plans to raise with Cassidy concerns that some medical device manufacturers refuse to sign business associate agreements, despite their devices containing protected health information.
The Healthcare Information and Management Systems Society in its response to Cassidy called for consistent standards to protect all identifiable patient information: biometric, genetic, location and financial data. That's particularly an issue provoked by the rise of AI, HIMSS says. "Collecting data for training AI sometimes amounts to mixing an individual's data with others' data and seeing what happens," HIMSS wrote. "That ill-defined outcome conflicts with a person's ability to truly offer informed consent and a basic data governance principle of 'collecting data for a defined purpose.'"
The AHA in its response to Cassidy's request for information said the group particularly disagrees with OCR's stance that online technology tracker tools that use or disclose an individual's IP address in combination with a visit to a hospital or other covered entity's webpage addressing specific medical conditions or healthcare providers is subject to tight restrictions under HIPAA.
This is not the first time that the Chicago-based organization - which has a strong presence in Washington, D.C. - has denounced the bulletin. In May, it wrote to HHS OCR urging that the agency amend or rescind web tracker guidance issued last December (see: AHA Tells HHS to 'Amend or Suspend' Web Tracking Guidance).
"Not only does this OCR rule violate HIPAA and its implementing regulations, but it inflicts meaningful harm on patients and public health," AHA wrote. A ban on the use of certain third-party tech tools would hinder hospitals from providing their communities reliable healthcare information, AHA said.
Regulatory attorney Rachel Rose said that while she agrees with some stakeholders about a complete HIPAA overhaul being burdensome on hospitals, as well as other covered entities and business associates, she disagrees with some others that IP addresses do not fall under HIPAA. To the contrary, HIPAA identifies the 18 individually identifying factors, she said.
"Biometrics and IP addresses are expressly stated. Depending on the type of information that is being extracted from websites via pixels, it can put the pieces of the puzzle together and fit into the definition of PHI."