Review updates and enforcement to ensure your start 2023 off right. Over the last year, the lionshare of HIPAA-related news has been focused on Right of Access violations. But, as is often the case, the feds have dropped a couple of year-end updates to throw a wrench into your 2023 compliance planning. The HHS Office for Civil Rights (OCR) offers fresh guidance on tracking technologies and applications as well as releasing new proposals on the intersection of HIPAA privacy and substance use disorder (SUD). Read on for the scoop. Keep Tracking App Usage Aligned With the HIPAA Rules Even before the pandemic pushed more provider-patient interaction online, tracking technology and remote monitoring were becoming a helpful tool for covered entities (CEs) everywhere. Unfortunately, impermissible disclosures are major HIPAA no-nos and regulated entities — CEs and their business associates (BAs) — need to keep their data sharing practices via apps within the law lest they risk violating HIPAA, an OCR release warns. “Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rules,” OCR cautions. “The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules,” the agency reminds.
Details: On Dec. 1, OCR issued a bulletin to address concerns and offer clarity on the intersection of the Rules and tracking technology. In the bulletin, OCR defines tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” Additionally, the agency warns CEs and BAs that the critical information both garnered and exchanged through the applications can be misused and put to a variety of nefarious purposes from identity theft to harassment. Most individually identifiable health information (IIHI) constitutes PHI/ePHI, but whether HIPAA factors into the equation depends on the type of web page or application used — and that might precipitate a business associate agreement (BAA) since PHI is being used and disclosed, according to OCR. Examples would include logging on for a telehealth visit or accessing health information on a clinical app. In these cases, both the CE and the vendor are liable if ePHI is breached. On the converse, “public facing websites that do not require users to provide login information generally do not track user PHI,” explain attorneys N. Bradford Wells and Jeff Knight with law firm Bricker & Eckler LLP in online legal analysis. “Thus user data tracked is not subject to HIPAA regulations, however some exceptions do apply,” Wells and Knight say. For example, an unauthenticated webpage like a practice website, which prompts a patient to register via a portal, would fall under the confines of HIPAA. Registered entities’ websites that track when people search symptoms or health conditions, or that allow patients to search for available appointments also fall under the mantle of HIPAA, OCR indicates.
“Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies,” cautions OCR Director Melanie Fontes Rainer in a release. Resource: You can find more details on the OCR guidance on tracking technology and read the bulletin at www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html. Feds Want to Improve Care Coordination for SUD Treatment Caring for patients struggling with SUD can be complicated. In a new notice of proposed rulemaking (NPRM) published in the Federal Register on Dec. 2, OCR focuses on improving care and bolstering privacy. The agency is proposing to revise the Confidentiality of Substance Use Disorder Patient Records (42 CFR, Part 2) under HIPAA to align with CARES Act provisions. “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” explains Miriam E. Delphin-Rittmon, PhD, HHS assistant secretary for Mental Health and Substance Use and the leader of Substance Abuse and Mental Health Services Administration (SAMHSA) in a release. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.” Nuts and bolts: Under the NPRM, OCR moves to reconfigure the current requirements of Part 2 of 42 CFR to better “safeguard the health and outcomes of individuals with SUD and create greater flexibility for information sharing” as outlined in the CARES Act, the release says. There are several proposals on the table, but a few stand out. Here are two areas to keep an eye on: 1. Consent: OCR aims to streamline the process for “single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations,” an OCR fact sheet says. “Part 2 programs will be able to obtain a single consent from a patient that permits disclosure for all future [treatment, payment, and health care operations] TPO uses and disclosures,” explain attorneys Jennifer J. Hennessy, Adam J. Hepworth, Sunny J. Levine, and Aaron T. Maguregui with law firm Foley & Lardner LLP in online legal analysis. “The proposed rule will allow patients flexibility when identifying recipients,” the Foley & Lardner attorneys note. Feds Bring Charges for HIPAA-Related Criminal Action If you thought a HIPAA violation won’t land you with a prison term, think again. Though rare in practice, there are criminal provisions under HIPAA — and federal enforcers do prosecute these crimes. Case in point: Former physician Frank Alario with practices in Florida, New Jersey, and New York violated HIPAA when he disclosed individuals’ protected health information (PHI) to an outside pharmaceutical rep — Keith Ritson — who wasn’t permitted to have that patient data, according to a Department of Justice (DOJ) release. Alario not only allowed Ritson access to his office and medical files, but to “restricted staff” and patients’ prescription and medication information as well. Furthermore, “Ritson would use patients’ confidential information to fill out prescription forms that Alario would authorize, and then Ritson received commissions on those prescriptions,” DOJ notes. Alario has already been charged with conspiring to violate HIPAA and could get up to one year in prison as well as a $50,000 fine. Sentencing is expected in February 2023. Resource: Read more about the case particulars at www.justice.gov/usao-nj/pr/doctor-admits-criminal-hipaa-scheme-wrongful-disclosure-protected-patient-health. 2. Enforcement: A myriad of enforcement-related provisions are in the NPRM. Highlights include the following, according to the fact sheet: Resources: Review the NPRM at www.govinfo.gov/content/pkg/FR-2022-12-02/pdf/2022-25784.pdf and the OCR fact sheet at www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-part-2/index.html.