Privacy Briefs: December 2022

By Jane Anderson

◆ The HHS Office for Civil Rights (OCR) has issued a bulletin to highlight the obligations of covered entities and business associates when using online tracking technologies such as Meta Pixel and Google Analytics.[1] “Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rules,” OCR said Dec. 1. “The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.” OCR’s bulletin addresses potential impermissible disclosures of ePHI by HIPAA-regulated entities to online technology tracking vendors, explaining what tracking technologies are, how they are used and what steps regulated entities must take to protect ePHI when using tracking technologies to comply with the HIPAA rules.

◆ Community Health Network has become the latest health care organization to report a breach due to pixels placed on its website by Facebook and Google: the Indianapolis-based health system said Nov. 18 that the protected health information of 1.5 million patients was exposed.[2] “As part of our continued effort to improve access to information about critical patient care services and manage key functionalities of our patient-facing websites, Community uses service providers to help evaluate the accessibility of those websites and information regarding the trends of users navigating the sites,” the health care organization said in a statement. “For a period of time, Community, like many other health systems, worked with those service providers to implement and utilize certain Internet tracking technologies provided by third parties such as Google and Facebook.” When concerns about these pixels were raised,[3] Community said it initiated an investigation and determined that “the configuration of certain technologies allowed for a broader scope of information to be collected and transmitted to each corresponding third-party tracking technology vendor (e.g., Facebook and Google) than Community had ever intended.” According to Community, the scope of information that could have been transmitted included: computer IP addresses, dates, times and/or locations of scheduled appointments, information about an individual’s health care provider, the type of appointment or procedure scheduled, communications through MyChart—which may have included first and last names and medical record numbers, information about whether an individual had insurance and if an individual had a proxy MyChart account, the name of the proxy.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings