Long before HIPAA laws were enacted, physicians were taking an oath to treat patients with dignity and respect. Many medical schools still administer a form of the Hippocratic oath to express their dedication to ethical behavior and patient-centered care.1 Even in the age of digital health, a portion of the classical version of the ancient oath remains relevant to patient privacy:
“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”1
Surveys of Americans’ concerns about online tracking and data collection suggest that medical practices should be concerned about patient privacy not just on a compliance level, but also for its potential impact on patient experience. A May 2023 Pew Research survey, for example, found that 81% of American adults are somewhat or very concerned about how companies in general use the data they collect about them, and 67% have little to no understanding about how that data is used.2 With important aspects of a medical practice’s patient-facing business (e.g., appointment scheduling, patient messaging, test results, health reminders) increasingly accessible through websites and apps—including patient portals—this concern and uncertainty could extend to patients of these practices.
As a result, the concern of practices for securing personal health information (PHI)—including “information about an individual’s past, present, or future health, healthcare, or payment for healthcare”3—has greatly expanded. Security now involves more than simply ensuring that only authorized persons have access to the medical records room. The personal information of patients now has exposure on websites and connected mHealth apps and devices offered by medical practices. As the number of patients accessing these portals increases (from 54% in 2017 to 79% in 20224), so too does the exposure footprint.
With this increased exposure, government privacy regulation is also increasing. In 2020, the California Privacy Rights Act (CPRA) amended the earlier California Consumer Privacy Act (CCPA) to provide California residents with additional rights regarding knowing, opting out of, and limiting the personal information businesses collect on them as well as correcting and deleting that data. It also requires businesses subject to the CCPA to honor those rights and provide mechanisms for users to exercise them.5 Since then, sixteen additional states have passed similarly comprehensive consumer privacy laws, and many others are considering such legislation.6
The Privacy Concerns of Online Tracking and Analytics
The most obvious aspect of securing PHI in websites or apps is controlling access to patient portals, granting access only to authorized individuals for each patient record. However, practices may not be considering another, more mundane, element of their online footprint that could put them in jeopardy of a HIPAA privacy violation: website analytics and tracking.3
In a joint letter in July 2023 to 130 hospital systems and telehealth providers, the U.S. Department of Health and Human Services Office of Civil Rights and the Federal Trade Commission Bureau of Consumer Protection warned these entities of “the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps”7 that could expose PHI to unauthorized third parties. While these technologies (such as cookies, tracking pixels, and browser fingerprinting scripts) can be used to analyze app and website performance and general engagement, third parties like Facebook, Google, and others may also use them to track users’ online activities even after they leave the original website.3
Such tracking technologies collect information about users, “usually without their knowledge and in ways that are hard for users to avoid.”7 If the data mining involves PHI, it could be considered an impermissible exposure under HIPAA Rules3 or a security breach under the FTC’s Health Breach Notification Rule.7 Violations of the FTC’s Children’s Online Privacy Protection Rule (“COPPA”)7 are also possible if your practice offers access for minors to certain online tools that collect personal information.8 And, according to ProAssurance Senior Legal Counsel, Andrea Koehler, “It’s important to remember that PHI includes health information paired with identifiers such as website URLs (universal resource locators) and IP (internet protocol) addresses, which may be collected by tracking technologies.”
Strategies for Protecting Patient Privacy in the Digital Practice
In order to stay compliant with HIPAA and other privacy regulations, practices need to be certain of who is collecting PHI on their websites and apps (including digital identifiers such as URLs and IP addresses connected to a patient’s health information) and what safeguards are in place to prevent impermissible disclosure.
Consider conducting an Information Privacy “Annual Exam” and documenting the results for compliance auditing:
- Contact your corporate attorney to help ensure compliance with regulatory requirements.
- Audit your technology—including services provided by third-party vendors:
- Understand which systems collect or provide access to PHI or use tracking technology such as pixel tracking, cookies, and other technologies capable of doing so. These may include the following systems among others:
- Web content management systems
- Web analytics systems (Google Analytics and others)
- Email systems
- Advertising platforms
- Patient portals
- Backoffice systems for billing and insurance
- Document the results of your audit:
- Discuss recommendations for correcting deficiencies with your corporate attorney or a ProAssurance Risk Management Consultant.
- Document an action plan to address the recommendations.
- Educate staff members on the importance of patient privacy, HIPAA regulations, and the risks associated with online tracking, analytics, and third party data usage.
- Obtain explicit consent from patients before sharing their data for analytics or with third parties, adhering to HIPAA's requirements for patient authorization.
- Ensure that digital systems secure (encrypt and control access to) the PHI they collect.
- Confirm that digital systems have appropriate controls to enable access to PHI only by authorized individuals for permitted purposes.
- Ensure that your practice has a business associate agreement compliant with HIPAA and all applicable laws and regulations for any third party you disclose PHI to.
- Implement strict data sharing agreements with vendors.
- Clinicians treating adolescent patients should be familiar with state and federal medical information privacy laws as they relate to adolescent healthcare.
- Develop clear policies and protocols for appropriately protecting confidential adolescent health information.
- Establish clear data retention policies for e-mail communications and patient portal interactions to ensure that patient information is retained only for as long as necessary and is securely disposed of when no longer needed. Refer to federal and state requirements.
- Understand which systems collect or provide access to PHI or use tracking technology such as pixel tracking, cookies, and other technologies capable of doing so. These may include the following systems among others:
Contact a ProAssurance Risk Management consultant for additional assistance or questions related to patient privacy, HIPAA compliance, or other concerns at 844-223-9648 (toll free) or RiskAdvisor@ProAssurance.com.
Further Reading
See the references below and these additional resources.
ProAssurance Risk Management
Risk Management Guidelines for Physicians: “Protected Health Records”Claims Rx: “Adolescents: Medical Information Privacy and Consent for Treatment” (PDF)
Best Practices: “HIPAA, HITECH, and Confidentiality Risks When Texting in Healthcare”
Additional Resources
- S. Department of Health and Human Services, Office for Civil Rights:
- The Office of the National Coordinator for Health Information Technology (ONC): “Security Risk Assessment Tool”
- Federal Trade Commission, Office of Technology. “Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking”
- Journal of Adolescent Health. “Confidentiality Protections for Adolescents and Young Adults in the Health Care Billing and Insurance Claims Process”
- gov: Official Website of The Office of the National Coordinator for Health Information Technology (ONC)
- National Institute of Standards and Technology (NIST)
References
1. Peter Tyson. “The Hippocratic Oath Today.” Nova. March 26, 2001.
2. Colleen McClain, Michelle Faverio, et al. “How Americans View Data Privacy.” Pew Research Center. October 18, 2023.
3. Office for Civil Rights. “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” U.S. Department of Health and Human Services. Content last reviewed March 18, 2024.
4. Catherine Strawley and Chelsea Richwine. Individuals’ Access and Use of Patient Portals and Smartphone Health Apps, 2022. ONC Data Brief, No. 69. Office of the National Coordinator for Health Information Technology. Data Brief: 69. 2023. Published October 2023.
5. California Privacy Protection Agency. “Frequently Asked Questions (FAQs).”
6 Andrew Folks. “US State Privacy Legislation Tracker.” International Association of Privacy Professionals. Last Updated: May 20, 2024.
7. Federal Trade Commission. “FTC and HHS Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies.” July 20, 2023.
8. Lesley Fair “When It Comes To Health Data, Comply With COPPA – No Kidding.” Federal Trade Commission. March 4, 2022.