Steps to Take in Response to OCR Guidance on Online Tracking
The Office of Civil Rights’ (OCR’s) updated guidance on HIPAA and online tracking technologies leaves many questions, but covered entities should take certain steps now. Kristen Rosati, JD, and Erin Dunlap, JD, attorneys with the law firm of Coppersmith Brockelman in Phoenix jointly offer these recommendations for HIPAA-covered entities:
- Take a deep breath. Most HIPAA-regulated entities and other organizations that handle health information are dealing with this issue. Your challenges are shared by many others, so solutions will be found.
- Initiate an internal investigation — under attorney-client privilege — to determine what online tracking your organization uses on its websites and apps. The investigation should determine precisely what data are being sent to what online tracking vendor.
- Get HIPAA business associate agreements in place with any online tracking vendors that are obtaining protected health information (PHI).
- If your organization is (or was) sending PHI to online tracking vendors without a HIPAA business associate agreement in place, conduct a HIPAA breach reporting risk analysis and document whether there is a reporting obligation under HIPAA.
- If your organization is subject to the Federal Trade Commission’s (FTC’s) Health Breach Notification Rule at 16 C.F.R. Part 318, determine whether there is a reporting obligation under that rule.
- If your organization is subject to a state breach notification law, evaluate whether there is a reporting obligation under that law.
- If the current use of online tracking is not consistent with the law, develop a detailed work plan to remediate such use. Consider the use of a customer data platform vendor that de-identifies data before sending it to online tracking vendors, but do a close examination of the services to make sure it is the right fit before engaging the vendor.
- Develop an internal policy on the use of online tracking. It will help in an OCR, FTC, or state attorney general investigation to demonstrate that your organization is taking steps to address the use of online tracking systematically.
- Make sure you understand the current privacy law landscape, including what laws apply to your organization, in responding to questions from your cyber liability insurer. Cybersecurity insurers also may want to know if you have had the use of online tracking technology reviewed by an attorney. In responding, do not explain the actual advice provided, or you may waive attorney-client privilege.
- Keep an eye out for developments, particularly what happens in response to the American Hospital Association lawsuit in the next few months. The courts may eventually require OCR to undertake a formal rule-making process to conform to the Administrative Procedures Act.
The Office of Civil Rights’ updated guidance on HIPAA and online tracking technologies leaves many questions, but covered entities should take certain steps now.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.