Home Health & Hospice Week

OCR takes on website privacy in more detail.

Add a couple of year-end HIPAA regulations to your compliance planning checklist.

The HHS Office for Civil Rights offers fresh guidance on tracking technologies and applications.

Even before the pandemic pushed more provider-patient interaction online, tracking technology and remote monitoring were becoming a helpful tool for covered entities (CEs) everywhere. Unfortunately, impermissible disclosures are major HIPAA no-nos and regulated entities — CEs and their business associates (BAs) — need to keep their data sharing practices via apps within the law lest they risk violating HIPAA, an OCR release warns.

“Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rules,” OCR cautions. “The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules,” the agency reminds.

Details: On Dec. 1, OCR issued a bulletin to address concerns and offer clarity on the intersection of the Rules and tracking technology. In the bulletin, OCR defines tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” Additionally, the agency warns CEs and BAs that the critical information both garnered and exchanged through the applications can be misused and put to a variety of nefarious purposes from identity theft to harassment.

Most individually identifiable health information (IIHI) constitutes PHI/ePHI, but whether HIPAA factors into the equation depends on the type of web page or application used — and that might precipitate a business associate agreement (BAA) since PHI is being used and disclosed, according to OCR. Examples would include logging on for a telehealth visit or accessing health information on a clinical app. In these cases, both the CE and the vendor are liable if ePHI is breached.

On the converse, “public facing websites that do not require users to provide login information generally do not track user PHI,” explain attorneys N. Bradford Wells and Jeff Knight with law firm Bricker & Eckler in online legal analysis. “Thus user data tracked is not subject to HIPAA regulations, however some exceptions do apply,” Wells and Knight say.

For example, an unauthenticated webpage like an agency website, which prompts a patient to register via a portal, would fall under the confines of HIPAA. Registered entities’ websites that track when people search symptoms or health conditions, or that allow patients to search for available appointments also fall under the mantle of HIPAA, OCR indicates.

“Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies,” cautions OCR Director Melanie Fontes Rainer in a release.

Resource: Find more details on the OCR guidance on tracking technology and read the bulletin at www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html.

Feds Want To Improve Care Coordination For SUD Treatment

Caring for patients struggling with substance use disorder (SUD) can be complicated. In a proposed rule published in the Federal Register on Dec. 2, OCR focuses on improving care and bolstering privacy. The agency is proposing to revise the Confidentiality of Substance Use Disorder Patient Records (42 CFR, Part 2) under HIPAA to align with CARES Act provisions.

“One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” explains Miriam E. Delphin- Rittmon, HHS assistant secretary for Mental Health and Substance Use and the leader of Substance Abuse and Mental Health Services Administration (SAMHSA), in a release. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.”

Nuts and bolts: Under the rule, OCR moves to reconfigure the current requirements of Part 2 of 42 CFR to better “safeguard the health and outcomes of individuals with SUD and create greater flexibility for information sharing” as outlined in the CARES Act, the release says.

Several proposals are on the table, but a few stand out. Here are two areas to keep an eye on:

1. Consent: OCR aims to streamline the process for “single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations,” an OCR fact sheet says.

“Part 2 programs will be able to obtain a single consent from a patient that permits disclosure for all future [treatment, payment, and health care operations] TPO uses and disclosures,” explain attorneys Jennifer J. Hennessy, Adam J. Hepworth, Sunny J. Levine, and Aaron T. Maguregui with law firm Foley & Lardner in online legal analysis. “The proposed rule will allow patients flexibility when identifying recipients,” the Foley & Lardner attorneys note.

2. Enforcement: A myriad of enforcement-related provisions are in the rule. Highlights include the following, according to the fact sheet:

• Mandating disclosures to HHS for enforcement purposes.
• “Apply[ing] HIPAA and HITECH Act civil and criminal penalties to Part 2 violations.”
• Requiring providers to establish a complaint process for patients.
• Banning Part 2 programs from “taking action against patients who file complaints.”

Resources: Review the rule at www.govinfo.gov/content/pkg/FR-2022-12-02/pdf/2022-25784.pdf and the OCR fact sheet at www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-part-2/index.html.