HHS’s Workplace for Civil Rights (OCR) has issued a bulletin to spotlight the HIPAA privateness, safety, and breach notification obligations imposed on lined entities (together with well being plans and most well being care suppliers) and enterprise associates (collectively “regulated entities”) when utilizing on-line monitoring applied sciences. As background, a monitoring know-how is a script or code on a web site or cell software used to gather and analyze details about customers as they work together with the web site or cell software. The bulletin addresses potential impermissible disclosures of protected well being data (PHI) by specializing in regulated entities’ obligations when utilizing third get together monitoring applied sciences. Particularly, the bulletin addresses:

• Monitoring on Webpages. The bulletin explains that monitoring applied sciences on a regulated entity’s user-authenticated webpages, which require a consumer to log in, typically have entry to PHI reminiscent of figuring out data. Thus, a regulated entity is required to configure any user-authenticated webpages that embody monitoring applied sciences to permit such applied sciences to solely use and disclose PHI in compliance with the HIPAA privateness rule. Equally, it should be certain that any digital PHI collected by means of its web site is protected and secured in accordance with the HIPAA safety rule. Monitoring applied sciences on regulated entities’ unauthenticated webpages, which don’t require a consumer to log in, typically don’t have entry to people’ PHI. Nevertheless, the bulletin contains particular examples of unauthenticated webpages that will have entry to PHI—through which case, the HIPAA guidelines would apply.

• Monitoring Inside Cell Functions. Cell functions or “apps” that regulated entities generally supply to people to assist handle their well being data gather quite a lot of data offered by the consumer that’s thought-about PHI and, subsequently, is topic to the HIPAA guidelines. The bulletin notes, nevertheless, that the HIPAA guidelines don’t shield the privateness and safety of knowledge that customers voluntarily obtain or enter into cell apps that aren’t developed or supplied by or on behalf of regulated entities, no matter the place the knowledge got here from.

• HIPAA Compliance Obligations. The bulletin gives a number of examples of the HIPAA necessities that regulated entities should meet when utilizing monitoring applied sciences with entry to PHI. These necessities embody: (1) making certain that each one disclosures of PHI to monitoring know-how distributors are particularly permitted by the HIPAA privateness rule and that, until an exception applies, solely the minimal crucial PHI is disclosed to realize the meant function; (2) establishing a enterprise affiliate settlement with a monitoring know-how vendor that qualifies as a enterprise affiliate; (3) addressing using monitoring applied sciences within the regulated entity’s threat evaluation and threat administration processes; and (4) offering breach notification when there was an impermissible disclosure of PHI to a monitoring know-how vendor that compromises the privateness or safety of PHI.

EBIA Remark: OCR factors out that the proliferation of monitoring applied sciences has made it important “now greater than ever,” for lined entities and enterprise associates to make sure that they solely disclose PHI as permitted beneath the HIPAA guidelines. The bulletin gives an summary of monitoring applied sciences, in addition to perception and examples of potential impermissible disclosures. For extra data, see EBIA’s HIPAA Portability, Privateness & Safety handbook at Sections XXII (“Privateness, Safety, and EDI: What Info Is Protected and Which Entities Should Comply”), XXIV (“Enterprise Affiliate Contracts”), and XXV (“Breach Notification for Unsecured PHI”).

Contributing Editors: EBIA Workers.