Governance & Risk Management , HIPAA/HITECH , Privacy
AHA Tells HHS to 'Amend or Suspend' Web Tracking GuidanceGroup Calls IP Addresses Under HIPAA 'Too Broad,' Posing Hardships on Hospitals
The American Hospital Association is urging federal regulators to back off from recent guidance that treats patient IP addresses as protected health information, saying that the new rules would "reduce public access to credible health information" and create hardships for doctors and hospitals.
The AHA is urging the Department of Health and Human Services to immediately amend or rescind its online tracking guidance issued in December aimed at protecting reproductive healthcare and other sensitive health information, arguing that regulators "erred" by treating all IP addresses collected by these technologies as protected health information under HIPAA .
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
In a letter on Monday, the AHA asked HHS Office for Civil Rights Director Melanie Fontes Rainer to finalize its proposed rule-making changes released in April but said it has "serious concerns" about recent HHS OCR guidance concerning the use of web tracking technologies.
"This guidance - ostensibly issued with the same worthy goal in mind as the proposed rule - is too broad and will result in significant adverse consequences for hospitals, patients and the public at large," wrote Melinda Reid Hatton, AHA general counsel and secretary. "In particular, by treating a mere IP address as protected health information under HIPAA, the Online Tracking Guidance will reduce public access to credible health information," the letter says.
The AHA fears the practice will force hospitals and health systems "to restrict the use of certain technologies that help improve community access to health information."
Many hospitals use third-party online tools that also sometimes require them to provide IP addresses to outside vendors, including analytics technologies, translation services, maps and location apps, and social media, the AHA wrote.
"Hospitals can only use these technologies with the help of third-party vendors," the AHA said. But those vendors often refuse to comply with HHS OCR guidance - such as signing HIPAA business associate agreements - "because they are not subject to HIPAA's strictures."
"Hospitals are now caught in the middle. The Online Tracking Guidance puts hospitals and health systems at risk of serious consequences - including class action lawsuits, HIPAA enforcement actions, or the loss of tens of millions of dollars of existing investments in existing websites, apps and portals - for a problem that ultimately is not of their own making."
In an interview in April, HHS OCR's Rainer told Information Security Media Group that the agency was looking closely at potential HIPAA violators involving the use of web trackers.
"It's a priority area. We're looking into organizations across the country," she said, adding that the agency's first enforcement action against tracking tool-related HIPAA violations will be "hopefully soon," she said. "We want to get this right."
Despite the AHA's concerns, HHS has always taken the position that IP addresses are HIPAA-regulated PHI, said privacy attorney Iliana Peters of law firm Polsinelli.
"It's not clear to me why HHS would rescind this guidance," said Peters, a former senior adviser at the agency. For example, she said, HIPAA makes clear that "IP addresses for individuals, their family members and their employers must be removed for purposes of the privacy rule's safe harbor" to ensure PHI is de-identified.
State and international regulators also take the approach that IP addresses are protected, Peters said. "As such, maybe the larger question is not whether this information is identifiable, but whether this information is actually at risk on unauthenticated websites."
Meanwhile, the AHA is urging regulators to finalize proposed rule-making that extends additional privacy protections to information involving lawful reproductive healthcare services from disclosures pertaining to criminal, civil or administrative investigations (see: HHS Wants HIPAA Changes to Protect Reproductive Health Info).
"By simply requiring requesters to attest to the fact that they are not seeking to use health information to investigate or penalize the lawful provision of healthcare, the proposed rule appropriately balances patient/provider privacy with the government's occasional need for health information," the AHA wrote.
The AHA also asked HHS OCR to consider whether the online tracking guidance is necessary if the proposed rule pertaining to reproductive healthcare information is finalized. "If, as AHA believes, that guidance is no longer necessary, OCR should suspend it immediately," the AHA said.
In the meantime, healthcare providers need to consider that any online tools - regardless of the intention for using such technologies - are likely collecting information that identifies individuals "far beyond just an IP address because that's how these tools function," said regulatory attorney Cory Brennan of the law firm Taft.
"Entities regulated by HIPAA need to assess all of their online tools with this understanding," Brennan said. "Nobody is telling regulated entities not to use these technologies - the guidance issued by OCR is simply reminding them to use them in a manner compliant with HIPAA."