The Federal Commerce Fee joined the U.S. Well being and Human Companies Workplace for Civil Rights this week in reminding healthcare organizations about their duties for third-party disclosures of protected well being info below HIPAA, the FTC Act and the FTC Well being Breach Notification Rule.
WHY IT MATTERS
Whereas OCR has addressed the privateness and safety dangers associated to healthcare organizations that knowingly or unknowingly use third-party monitoring instruments that may analyze, collect and share delicate medical knowledge with promoting companions below HIPAA, the FTC can also be utilizing its authority to guard customers’ well being info from “potential misuse and exploitation.”
“These monitoring applied sciences collect identifiable details about customers, often with out their information and in methods which are laborious for customers to keep away from, as customers work together with an internet site or cell app,” the businesses mentioned of their announcement concerning the joint letter, posted on the HHS web site, on Thursday.
They go on to explain how built-in instruments on hospital and telemedicine web sites can’t solely ship PHI info immediately again, however third events like Google and Meta/Fb could proceed to trace and collect details about sufferers even after they navigate away.
A number of lawsuits allege that on-line monitoring corporations share PHI with their promoting companions, which goal the affected person with adverts and different content material. The category motion lawsuits might also search that any revenue that hospitals could have constructed from promoting the info be paid to affected person victims, damages which some Louisiana hospitals could also be going through.
The letter reiterates that HIPAA Guidelines apply when the data {that a} regulated entity collects via monitoring applied sciences or discloses to 3rd events (e.g., monitoring know-how distributors) consists of PHI.
In December 2022, OCR launched a bulletin about using on-line monitoring applied sciences by HIPAA-regulated entities and supplies a normal overview of how the HIPAA Guidelines apply.
The FTC provides a warning about client safety legal guidelines.
“Even if you’re not lined by HIPAA, you continue to have an obligation to guard in opposition to impermissible disclosures of non-public well being info below the FTC Act and the FTC Well being Breach Notification Rule.”
“That is true even if you happen to relied upon a 3rd celebration to develop your web site or cell app and even when you don’t use the data obtained via use of a monitoring know-how for any advertising functions.”
THE LARGER TREND
When OCR issued steering on using on-line monitoring instruments, it reminded regulated entities of their obligations to adjust to HIPAA’s Privateness, Safety and Breach Notification Guidelines and defined what steps healthcare organizations and others should take to guard PHI on user-authenticated and different relevant webpages and kinds.
“In these circumstances, regulated entities should be sure that the disclosures made to such distributors are permitted by the privateness rule and enter right into a enterprise affiliate settlement with these monitoring know-how distributors to make sure that PHI is protected in accordance with the HIPAA Guidelines,” OCR mentioned within the bulletin.
OCR mentioned it continues to be involved about disclosures of well being info to 3rd events.
“Though on-line monitoring applied sciences can be utilized for helpful functions, sufferers and others mustn’t should sacrifice the privateness of their well being info when utilizing a hospital’s web site,” Melanie Fontes Rainer, OCR’s director, mentioned in a press release concerning the joint letter with the FTC.
ON THE RECORD
“When customers go to a hospital’s web site or search telehealth companies, they need to not have to fret that their most personal and delicate well being info could also be disclosed to advertisers and different unnamed, hidden third events,” mentioned Samuel Levine, director of the FTC’s Bureau of Shopper Safety, in a press release.
“The FTC is once more serving discover that corporations must train excessive warning when utilizing on-line monitoring applied sciences and that we are going to proceed doing every part in our powers to guard customers’ well being info from potential misuse and exploitation.”
Andrea Fox is senior editor of Healthcare IT Information.
Electronic mail: [email protected]
Healthcare IT Information is a HIMSS Media publication.