The next top priority of HIPAA enforcement appears to be the use of website pixel tracking tools, according to Melanie Fontes Rainer, Director of the Office for Civil Rights (OCR) the agency that enforces HIPAA. Director Rainer recently gave an interview to Marianne Kolbasuk McGee at HealthcareInfoSecurity.com in which she discussed the agency’s enforcement priorities. The article and interview can be found here.
Website Tracking Risks Patient Privacy
Healthcare data breaches caused by website tracking tools have been in the news lately but so far OCR has not publicly said whether its investigating any of them. Examples include breaches at Monument, an online alcohol treatment provider, Cerebral, Inc., a mental health service provider, and a handful of others, summarized here. Millions of patients have been affected.
Late last year, after a string of website tracking breaches in healthcare, OCR published a bulletin explaining the HIPAA risks for covered entities and business associates. In the recent interview Director Rainer noted that tracking tools have been used by a variety of healthcare organizations, including those that provide behavioral health and reproductive health services. She stated that website tracking in healthcare is an OCR priority and they’re “looking into organizations across the country.”
“It is something that is harmful for the patient but is also an end run around HIPAA. So we’re trying to make sure that as technology advances and we try to do more to improve the consumer’s experience, HIPAA can’t be an afterthought.”
Right of Access is Cornerstone of HIPAA
Other OCR enforcement priorities include the right of access rule and compliance with the HIPAA Security Rule. Although OCR is also responsible for civil rights, 66% of the 51,000 complaints OCR received last year involved potential HIPAA violations, and many of those related to the patient right of access to their medical information. Director Rainer noted that too many covered entities still do not take it seriously, or take too much time to respond to a patient request for access. There have been a total of 43 right of access settlements under OCR’s Right of Access Initiative, begun in 2019.
Risk Analysis Should be Priority One
Cybersecurity in healthcare continues to be a concern. Hacking/IT incidents were the largest category of large breaches (500 or more) reported on the OCR Breach Portal during 2021. And ransomware is a big piece of those hacking/IT incidents and has surged, almost doubling over the prior year.
OCR has reorganized recently to strengthen its ability to enforce violations in these high-impact cases. Director Rainer noted that the settlement agreements and the press releases that accompany them show “repeated actions”. Covered entities don’t have a Risk Analysis, for example. “If you don’t have a Risk Analysis, you don’t know what your potential exposure is”, and “it’s not a one-and-done, you do it and never look at it again. It’s something you need to look at on a regular basis, and follow up as your system continues to evolve”.