Compliance > HIPPA | Information Security Compliance > Privacy

FTC and HHS Guidance for Online Tracking Technologies by HIPAA Covered Entities and Business Associates

On January 7, 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published guidance on the use of tracking technologies by covered entities under the Health Insurance Portability and Accountability Act (HIPAA). The guidance, titled “FAQs on HIPAA and Health Websites and Social Media,” addresses various issues related to the use of tracking technologies, including cookies, beacons, and other similar technologies.

The guidance emphasizes that covered entities must ensure that their tracking technologies comply with HIPAA’s Privacy, Security, and Breach Notification Rules. Covered entities must also provide clear and conspicuous notice to individuals about their use of tracking technologies and obtain their affirmative consent before using such technologies.

The guidance also highlights the importance of properly securing any data collected through tracking technologies to protect against unauthorized access, use, or disclosure. Covered entities should implement appropriate security measures, such as encryption, access controls, and monitoring, to safeguard this data.

In addition, the guidance addresses several specific issues related to tracking technologies, such as:

  • The use of cookies for targeted advertising: Covered entities must obtain affirmative consent before using cookies for targeted advertising. They must also allow individuals to opt out of such advertising.
  • The use of beacons to track individuals’ locations: Covered entities must obtain affirmative consent before using beacons to track individuals’ locations. They must also provide clear notice to individuals about the purpose of such tracking and the types of data that will be collected.
  • The use of third-party tracking technologies: Covered entities must ensure that any third-party tracking technologies they use are compliant with HIPAA. They must also enter into a business associate agreement with any third party that has access to protected health information (PHI).

While this is not new information, the details of a $7.8 million fine being leveraged against BetterHelp yesterday, March 2, 2023 signal a shift in enforcement.

“The Federal Trade Commission has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising. The proposed order also requires the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.” 1

There had, up until now, been some ambiguity regarding what constituted PHI and PII (Protected Health Information and Personal Identifiable Information). The most notable example of this is the following example:

If a person visits an informational site about pregnancy, and the covered entity gathers information such as IP Address, Email, Location Data, etc. – that information is considered PHI/PII. It will be covered under HIPAA’s privacy guidance. This is true even if the site visitor does not have a relationship with the covered entity.

This is a significant change in previously understood and enforced HHS guidance. As such, organizations in the healthcare vertical should review all applications, web, and mobile, for tracking technology and evaluate what it is gathering and it if violates the HHS guidance.

SecurIT360 has put together a package that assists covered entities in evaluating the compliance, reputational, and technical risk associated with tracking technology across their application portfolio.

This approach can be summarized as follows:

  • Perform an in-depth technical analysis of the HHS guidance for HIPAA-covered entities.
    • Tracking on user-authenticated webpages
    • Tracking on unauthenticated webpages
    • Tracking within mobile apps
    • HIPAA compliance obligations for regulated entities when using tracking technologies
  • Establish a testing protocol that evaluates those requirements in addition to standard web security standards (OWASP WTG v4.2).
  • Create a project plan for the execution of this testing protocol as it is applied to all domains in scope.
  • Perform testing.
  • Present a comprehensive technical report that outlines detailed risk and remediation for issues found.
  • Assist with establishing a remediation plan.
  • Perform validation of remediation.
  • Issue a final report reflecting the residual risk after remediation.

For reference, we have included some additional scenarios that are both discovered and solved by this approach.

  • Unauthorized access to PHI: If tracking technology is used to monitor the location or movements of individuals in a healthcare setting, it could potentially provide access to PHI that should be kept confidential. For example, if a hospital uses a tracking system that shows the location of patients or staff members, but the system is not properly secured, unauthorized individuals could potentially gain access to PHI.
  • Unintentional disclosure of PHI: If tracking technology is used to monitor the location or movements of individuals in a healthcare setting, there is a risk that PHI could be unintentionally disclosed. For example, if a tracking system is used to monitor the location of patients, and the system is not configured properly, it could potentially display PHI in a public area or to unauthorized individuals.
  • Improper disposal of PHI: If tracking technology is used to collect PHI, there is a risk that the data could be improperly disposed of. For example, if a tracking system is used to monitor the location of patients or staff members, and the system is not properly secured or disposed of, PHI could potentially be accessed by unauthorized individuals.
  • Use of PHI for marketing purposes: If tracking technology is used to collect PHI, there is a risk that the data could be used for marketing purposes without proper consent. For example, if a tracking system is used to monitor the location of patients, and the data collected is used for marketing purposes without proper consent, this would be a violation of HIPAA.

Failure to obtain proper consent: If tracking technology is used to collect PHI, proper consent must be obtained from individuals before their data can be used. For example, if a tracking system is used to monitor the location of patients, but the patients are not properly informed of the data collection or their rights, this would be a violation of HIPAA.



Compliance > HIPPA | Information Security

Is the healthcare industry a target?

Many of the clients we work with are either a medical service provider or a vendor to medical service providers.  If they are creating, transmitting or storing patient data, then they are a covered entity and therefore liable for compliance to HIPAA.  What we often find is that clients are under the impression that HIPAA provides a set of specific instructions for how to secure a network and protect data.  What they find out is there isn’t a yellow brick road leading to compliance.  HIPAA lays out the results of information security efforts that are expected, but the clients are required to build the road to those results.

Many times the mindset is, we aren’t really a target like the financial industry or retailers, so we just need to make sure we don’t do something stupid and lose our data.  This can no longer be the mindset.  A recent CNN article sheds some light on why the healthcare industry and specifically medical records may become much more lucrative for data exfiltration.  According to many sources, credit card numbers typically fetch about a $1-$2 but sometimes up to $100 on the black market depending on the metadata that is included.  Many times they are unreliable and it can take hundreds or thousands of them in order to see any profits.  On the other hand, medical records are fetching around $50 per record, according to Med Page Today.  To put it in perspective, Target lost approximately 40 million credit card records in the initial breach.  Based on the price on the black market, the data stolen could be worth up to $40 million.  It won’t be quite that much because there will be duplicate records, expired credit cards, fraud protections in place and other factors that would reduce the total value of the data.  Additionally, there are many systems in place to protect the use of that data as well as track down anyone who attempts to use it.

Why are medical records worth so much?  What information can you gain from them?  According to CNN and other sources, they can be used to maliciously bill organizations like medicare, and they can be used to impersonate patients so that attackers can obtain prescriptions to sell.

Let’s take a fictitious scenario where medical records are stolen from an exchange of hospitals.  It would only take 800,000 records (compared to 40 million) to reach a potential $40 million in value.  Additionally, those records will be more reliable because they can be used to exploit an industry that has yet to fully utilize modern security practices or checks.  Not only can those records be used to defraud the government, according to the CNN article, they can be used to make patients liable for charges.  Where credit card companies will forgive debts for fraudulent charges, there are not protections like this in place for patients and these situations could get quite complicated.

Time and time again, we find that healthcare organizations are behind on even using standard security practices.  Gone are the days when the healthcare industry only needs protection from itself;  the healthcare industry is seeing a real threat from malicious actors.  They now have very valuable information, and if controls aren’t put into place to protect it, organizations could quickly see themselves becoming further and further behind the curve of protecting their information and their patients.  Do you know where your organization stands when it comes to IT security and compliance?