In a letter to the Senate Health, Education, Labor and Pensions Committee, the American Hospital Association said the U.S. Health and Human Services Office of Civil Rights rule regarding the use of online tracking tools violates existing HIPAA rules and could lead to meaningful harm to patients and public health.
“Congress should urge OCR to immediately withdraw the rule,” said AHA in its response to a request for information about data privacy and HIPAA.
WHY IT MATTERS
On behalf of AHA and its members – 5,000 healthcare organization members, 270,000 affiliated physicians, two million nurses and other healthcare providers, and 43,000 healthcare leaders – the organization told the HELP Committee that it believes current HIPAA rules provide an effective framework for sharing information about patients. protected health information “without creating significant barriers to the robust use and disclosure of information necessary to support high-quality care.”
For these reasons, “the AHA does not believe that Congress should enact major revisions to HIPAA at this time,” the organization said by letter on September 28.
However, AHA noted two specific issues that would “benefit from Congressional attention”: OCR’s December rule regarding the use of online tracking tools and the various state privacy rules piling on HIPAA.
In its September RFI, the HELP Committee stakeholders asked for feedback on a number of questions about health data and accountability, including whether responsible entities should have a duty of loyalty to patients and how this duty can be imposed to minimize the burden on those entities.
“Should the requirements of such a duty be based on the sensitivity of the data collected?”
While it says it believes no changes to HIPAA are necessary at this time, AHA has asked Congress to urge OCR to rescind the December rule, which prohibits healthcare organizations from using online tracking tools to track information collect information about how users interact with the websites of regulated entities.
The association said the rule has had consequences that run counter to OCR’s efforts to encourage hospitals to share non-private health care information with the public.
“This rule is legally flawed and harmful as a matter of policy,” the AHA said.
Hospitals and healthcare systems are caught between OCR’s “unlawful rule” governing the use of online tracking tools and third-party vendors, and they are unable to provide “the most reliable health information available,” according to AHA.
“Without consulting healthcare providers, third-party technology vendors, or the general public, the agency issued sub-regulatory guidance that has had profound impacts on hospitals, health care systems, and the communities they serve.”
In the new rule, “OCR took the position that when an online technology links an individual’s IP address with a visit to a public web page that addresses specific health conditions or health care providers, that combination of information is subject to limitations on use and disclosure under HIPAA,” AHA explained.
“This protects the IP addresses of website visitors, even if they are not actually seeking medical care.”
Under OCR’s “misleading view,” the same HIPAA protections apply when visitors search for medical information, such as general health information, information for a family member, academic research and more — and that violates HIPAA, AHA argued.
HIPAA and its implementing regulations “strike a balance,” protecting patient privacy while allowing “important uses of information,” AHA said.
AHA said OCR’s policy on online tracking tools means hospitals and healthcare systems can no longer rely on third-party technologies such as Google Analytics, YouTube and other video applications.
Without analytics, organizations can’t assess which parts of a website patients have difficulty navigating, the level of community concern about certain medical issues, and more.
“These tools allow hospitals to allocate resources more effectively and help community members more easily find the healthcare information they are looking for,” AHA said.
Without maps and third-party location services, hospitals are forced to provide better information about where healthcare services are available, the organization gave as an example. They will be forced to limit the use of tools such as embedded bus schedules or directions to and from a patient’s location.
Restricting video technologies also minimizes the reach of health information that health care systems can share with the communities they serve, AHA said.
“Hospitals and healthcare systems cannot risk the serious consequences resulting from OCR’s unlawful rule, including HIPAA enforcement actions, class action lawsuits, or the loss of significant investments in existing websites,” AHA said in its request.
Meanwhile, third parties may refuse to sign agreements with business associates that require them to protect private patient information, AHA noted.
“If the OCR’s new rule stands, hospitals and healthcare systems will be forced to limit the use of valuable third-party technologies like this.”
Additionally, the AHA has long advocated that HIPAA requirements be the uniform national standard for protecting the privacy and security of all patient information. Because the HIPAA framework is both effective and entrenched, Congress should enact full federal preemption over HIPAA, the hospital association said.
“The patchwork of differing requirements poses a significant challenge to providers’ use of a common electronic health record that is a critical part of the infrastructure necessary to effectively coordinate patient care and maintain public health,” AHA said .
“Despite all the strengths of the existing HIPAA framework, the approach to preemption has proven problematic,” the group claimed in the HELP Committee letter.
“Additionally, the existing state and federal patchwork of health information privacy requirements remains a significant barrier to robust sharing of patient information necessary for coordinated clinical treatment,” AHA said. “If Congress were to make any changes to HIPAA, it would need to address this problem and implement a full preemption provision.”
THE BIG TREND
In July, OCR and the Federal Trade Commission sent a warning letter to hospitals about online tracking pixels to remind healthcare organizations of their responsibilities for third-party disclosures of protected health information under HIPAA, the FTC Act, and the FTC Health Breach Notification Rule.
“Even if you are not covered by HIPAA, you still have an obligation to protect against unauthorized disclosure of personal health information under the FTC Act and the FTC Health Breach Notification Rule,” HHS said in the bulletin.
Many healthcare systems are involved in class action lawsuits alleging PHI breaches. Earlier this year, several hospitals in Louisiana were accused of sharing medical conditions, prescriptions, doctor names and previous appointments with Facebook when patients scheduled appointments online or through patient portal apps. In August, Attorney Aurora Health agreed to settle a class action lawsuit for $12.2 million related to the health system’s October 2022 announcement that it had notified nearly three million patients in Illinois and Wisconsin of a possible data breach involving pixel trackers.
AHA noted in its RFI response letter to the Congressional Committee that these warning letters included a press release supporting threats of consequences for violating the December rule.
“OCR stated that it is ‘concerned’ that hospitals’ use of these technologies results in ‘impermissible disclosure of health information – an issue that OCR ‘will use all of its resources to address,'” AHA said, noting that OCR last month publicly released the names of all hospitals and health care systems that received the warning letter.
ON THE RECORD
“Courts have already concluded that the interpretation of individually identifiable health information offered by HHS in its guidance “goes well beyond the meaning of what the statute can carry,” AHA said in its letter to the Senate.
“HIPAA is more than sufficient to protect patient privacy and, if interpreted correctly, provides the right balance between the privacy of health information and the sharing of valuable information,” the group added. “Various state laws only add costs and create complications for hospitals and health care systems.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.