Is your team scrambling trying to figure out how to make your marketing analytics setup HIPAA-compliant with the new bulletin? Yep, everyone else is too.
Today, attorney Drew Westbrook joins the show to discuss the bulletin released by OCR in December 2022. In the bulletin, OCR expanded the definition of what information is protected under HIPAA beyond what most people have read in the law and completely changes the understanding of how marketers can and can’t use analytics tools as part of our toolset, including web analytics and call tracking.
Drew explains the biggest points of concern with the new bulletin, including IP addresses being identified as PHI under HIPAA.
We then shift the conversation to what healthcare marketers need to do to understand if their organization is at risk. Auditing data to understand the information being collected, where it is being collected from, and where it is going is a good first step. They also touch on state-specific legislation and if there is any real difference in data handling of covered and non-covered entities.
This (episode 16) is part one of a two-part series (episode 17)
Jenny: [00:00:00] Hi, friends. Welcome to today’s episode of We Are, Marketing Happy, a healthcare marketing podcast. I am so excited to have Drew Westbrook on with us today. A lot of marketers in the healthcare space have been frantically trying to understand the recent HIPAA-related bulletin that was released in December and Drew is an attorney that we absolutely love working with because he understands technology better than any attorney I’ve ever worked with.
So we have invited Drew on today to talk about the bulletin and help all of the marketers in the healthcare space really better understand what the bulletin says and what the implications are.
So welcome, Drew.
Drew: Thanks, Jenny. I’m glad to be.
Jenny: Awesome. to get us started. Tell us a little bit about your background and your area of expertise. How do you have such a good understanding about all of the things in the healthcare world? [00:01:00]
Drew: Well, I would say that I’m still learning all of those things, first of all.
But no I’ve been practicing for over 10 years at this point, and I started off kind of looking at business issues, and then picked up a few clients early on that I needed to start layering healthcare regulations on top of. And so, I started absorbing all that information. They also happened to be picked up a few early on technology clients and over the years as we like to joke, it’s called the practice of law for a reason. Constantly learning and getting embedded with my clients so that I can understand not just what the law says and tell it to them, but actually say, what do you need to be able to do? How does your software work?
How does your business run? How do you make money? And then how can I help you use the regulations to stay free [00:02:00] of trouble and also to actually help you succeed in business. It’s not just about avoiding liability, although that is a big part of it. It’s also about creating opportunities, exploring opportunities, and taking advantage of those opportunities.
Jenny: Absolutely. So let’s jump right into the bulletin. So the bulletin was released in December, and it’s about two pages long, but it has caused quite a ruckus. So walk us through some of the highlights.
Drew: Yeah. So, December of 2022 the Office of Civil Rights at Health and Human Services, which is the division of the organization that enforces HIPAA, published a bulletin.
It is a bulletin on the website. It is not a law, it is not regulation or rule. But because it is published by the division that enforces the law, it is worth noting because you don’t want to go contrary necessarily [00:03:00] to what the enforcer of a law says explicitly.
So they published a bulletin. OCR describes what tracking technologies are and how companies that are subject to HIPAA can use or shouldn’t use tracking technologies on their websites and on mobile apps. The most notable piece about it is that OCR kind of expanded the definition of what information is protected beyond how most people have read the law to date.
There’s always been a concept from the beginning of rule making under HIPAA that it’s not necessarily just direct information that a provider creates in treating a patient. There’s more to it than that. It’s broader than that, but what this bulletin has said is, information collected through tracking technologies on the website of a covered [00:04:00] entity, which is an entity that’s subject to HIPAA can be considered protected health information and therefore subject to all of the rules and regulations under HIPAA.
And this is a little, it’s a little interesting because the bulletin distinguishes between authenticated portions of webpages, unauthenticated portions of webpages and mobile apps, as well authenticated portions of a webpage. You can just feel that’s different, right? If you log in, especially to a patient portal or something like that, you do expect more protection for your information inside that access point.
But if I’m just browsing the webpage of a healthcare provider, even as a patient, I’m not necessarily expecting that any information collected about that visit would be protected information Now, to be fair to the bulletin, that’s not exactly what it says. It’s maybe more targeted than that.
But there is [00:05:00] some sweeping language that OCR included in the bulletin. I mean, there’s one point where it says that when a regulated entity, I’m reading now, so I have my notes here, but when a regulated entity collects the individually identifying health information through its website or mobile app, the information connects the individual to the regulated entity and thus relates to the individual’s past, present, or future health or healthcare or payment for care, which then triggers the privacy rule.
But the problem is that it’s saying collection of information connects the individual to the regulated entity and thus relates to an individual’s healthcare.
So I’ll give you a quick example of why this is really broad sweeping. I, as an individual, I represent companies that do business with healthcare providers. When I have a new deal that a client is doing with a healthcare provider, I go to that healthcare provider’s website.[00:06:00] Often I’m looking at things like what their notice of privacy practices says, information about exactly what they do, that sort of thing.
It helps me, again, inform how to help my client get a deal done. A lot of these are in states that I’ve maybe even never visited and have zero relationship to that entity, but, the company has a cookie on its website and it collects my IP address, but now it’s got individually identifiable information about me because I’m typically, not as the bulletin says, I’m not accessing it from a public library.It is from my my personal laptop on my home network.
So that IP address is gonna identify me, and that starts to get into really significant issues for marketers. And for the owners of the websites about what do they do with all of the tracking technologies that are used on pretty much every website [00:07:00] that’s available these days.
Jenny: Yeah. And Drew a great, another real world example is all of the folks in the healthcare space, or I’d say 95 plus percent, use Google Analytics to track their website traffic. There is a setting within Google Analytics where you can obfuscate or not collect the IP address. However, the bulletin also makes it pretty clear that if that technology has the ability to access the IP address, it’s still not compliant.
Even if you tell it not to, it still is now at this point not compliant, and that really completely disrupts and shakes up everybody’s setup. And what previous to this bulletin we thought was okay.
Drew: Yeah. And that’s the tricky part is you know, if you grant access to information, then that could be considered to be triggering a business associate relationship.
And in the same way, I guess you could look at [00:08:00] it as if OCR calls it in a separate section of this webpage, a cloud services provider where you’re storing your information, even if that information is protected and the hosting company doesn’t have the access key, that cloud services provider is still business associate because they are maintaining, they’re hosting that data.
So it’s similar in one sense. It’s the reverse. But if you grant access to, or even if you don’t grant access to that data, then you are providing access and disclosing and triggering the privacy rule.
Jenny: I think what’s really interesting and what people are gonna have to come to terms with is that no service will sign a business associate’s agreement if you are using their service at no cost.
Right? Why would they take on that risk and liability if you aren’t even paying for the service. So I feel like this really is a line in the sand where analytics will [00:09:00] no longer be free. We can’t rely on using these free off the shelf platforms anymore and have comfort in being compliant.
Drew: Yeah. I think there’s a couple of factors going on with that.
I mean, one is it’s good practice. I shouldn’t say everyone. Some people sign business associate agreements and you look at it later and you say, why did you sign that? Right? But more often you avoid business associate agreements to the extent you can legally because you don’t want to take on that additional obligations.
Even if just contractually. They’re not saying a whole lot more than what you would agree to, but a business associate agreement is gonna have obligations that you would not otherwise contractually agree to if you weren’t bound by the law. Things like access rights for individuals and those sorts of things.
So currently there’s really no reason why these providers of analytics who say I’m not subject and who have traditionally said I’m not subject to HIPAA, would agree to a business associate agreement [00:10:00] that’s just added liability, especially if they’re not getting paid. On the other hand, I could see going forward, if we get enough concrete evidence that this would, this interpretation by OCR will hold up, then you might start to see more players agreeing to business associate agreements. You will not see them agreeing to anybody else’s business associate form than theirs. They’ll create their own.
It will not be negotiable. It will be favorable to that company. But you might see that, I don’t know if you’re gonna see that with at no cost. That would surprise me. But I think, there’s, there are quite a few lawsuits out there that have been filed relatively recently. Some before, I mean many before the bulletin came out.
But this is a ball that’s rolling downhill. Albeit [00:11:00] very slowly at time, but people are considering privacy more and more in the US you know, and outside of the US maybe in Europe it’s a little different, but so there are lawsuits out there that may start, and there will be more for sure.
I don’t know that, I guess with a hundred percent certainty, but I would imagine that you’re going to see more and more that are gonna start using the OCR bulletin as part of their reasons why. Using some other standard, because there’s no private right of action under HIPAA, but using some other standard why someone violated a right or didn’t use a industry standard practice because OCR has said that this is not permitted.
If we start to see that’s going to work, then the courts will say yes, that we agree with OCR. Or you start to see OCR enforcing this and winning. Or you start see them enforce and people roll over [00:12:00] enough. Then you might actually get some movement with some of the bigger players of understanding that their tool will not be used in the healthcare industry if they don’t make some sort of change. But it we’re a long ways away from that, I would say.
Jenny: And I’m sure no organization wants to be the case study, right? Nobody wants to be the one that they end up being the case law that changes the direction of what can happen.
Drew: You know, no, most people don’t. There are a few people out there that that love the challenge and that feel strongly enough. You know, in healthcare people don’t tend to be very risky, not even tolerant, but you know, they don’t like to push boundaries except in certain areas of the law and he.
People are scared of HIPAA to the point where, you know, I’ve seen a lot of people interpret HIPAA [00:13:00] more conservatively than it needs to be in a lot of situations of, oh, I can’t provide information because HIPAA prohibits it. And you say, well, that’s not true. I’m the patient. This is my information.
I can actually demand that you give it to me. So, but you’re right there. Nobody wants to be the case law. Nobody wants to be the guinea pig for pushing this boundary. Maybe some of them do. Because unwittingly, they don’t know for sure. And they’re gonna be the guinea pig because they’re either they don’t read the bulletin or somebody’s read the bulletin and it doesn’t get passed to the right people, or they don’t understand it. And they really continue to use these tools because they’re valuable tools. And in one sense, some of these companies that are placing the tools on websites to kind of have your information either way.
That kind of thinking might lead to some companies saying let’s keep going.
Jenny: Well, and one of the things, one of the very first conversations we had with you, we were trying [00:14:00] to talk about and explain, you know, what Hedy & Hopp does and our passion for improving patients access to care.
And one of the things that we talked about is it doesn’t matter what your intent is. It doesn’t matter if you feel as though you are helping patients. By having this tracking technology on your site, OCR does not care that you thought you were doing good by doing it. They have their own perspective of what tracking technology is and is not.
So they don’t care if you thought you were being helpful,
Drew: Not for whether or not you violated. I guess I would being the typical lawyer. I would say that technically they do care what your intent was, for criminal purposes, but not of whether or not what you’re actually doing is violating HIPAA, that is not intent based.
Jenny: Absolutely. Okay, so next question. So if I were a healthcare marketer within a organization and I [00:15:00] needed to look at everything that my organization was doing, what’s some super high level advice that you would give them as a starting point of understanding if they’re at risk or not?
Drew: The first thing that I would say is do a data map. You. You need to know what information you’re collecting from where you’re collecting it, and then where it’s going, whether it’s going temporarily, whether it’s going and staying, and who has access to it.
You need to figure out everything you can about the data and the information that you have and are getting. That’s a big task for certain organizations, you know, for bigger entities that have a lot of brands, a lot of different websites. That’s a lot. And I understand that. But it doesn’t change the fact that you really do need to know what you have, where you got it, [00:16:00] where it’s going, and who can get it.
Jenny: Totally. That is excellent advice and that is what we do for our clients as a first step is we go in and we do a full audit and map out not only all of their tracking technologies, but all their digital marketing practices and data storage. So it’s important to also think about where you’re placing ads and how you’re doing it.
Let’s talk a little bit about state specific legislation. I don’t wanna get into the details of it but I’ve had a couple of clients reach out and just saying, you know, we care about this bulletin, but also state specific legislation. But really we’re at the very beginning stages of state specific legislation, right?
I mean, there are less than a handful of states that have any sort of privacy related legislation. Now over the coming years, we may see more, we’re really at the tip of the iceberg for that.
Drew: I mean, pretty much every state has two, we’ll call it two laws related to privacy that are applicable here.
There’s a medical [00:17:00] information privacy law, and there’s a breach notification law. Those are typically really limited in scope. The breach notification is simply that it is, you know, if you disclose whatever, however they define the information of an individual, if you disclose it improperly, you have to notify someone. The patient, the attorney general, somebody.
And then the medical privacy is really kind of when we’re talking, when we’re trying to generalize over 50 states. They are really more of a, you know, your doctor shouldn’t go publish your information online, well, shouldn’t post it on a billboard, you know, it’s a lot of these are antiquated technologically in one sense. Plus HIPAA is going to preempt any state level law related to health information privacy that [00:18:00] is less restrictive than HIPAA. So if it’s more restrictive than, you know, the federal government says, great, those rights apply.
Those obligations apply. But if it’s not as restrictive as HIPAA, then HIPAA’s gonna preempt it. Now on with some of the newer laws at state levels, we’re getting a more comprehensive privacy regime. That’s more like the GDPR in Europe, Again as you said, there aren’t that many. We really only have two that are in effect currently three more coming into effect in 2023.
There are others kind of in the pipeline, but those are in the very early stages of the pipeline and also all of the laws that are going into effect, or are in effect, have some sort of carve out for health information that’s subject to HIPAA. It could be that it’s you know, HIPAA covered entities are excluded or in, you know, PHI as HIPAA defines it is [00:19:00] excluded.
You really need to look at the specific statutes and regulations to make those determinations, but they definitely will apply to tracking technologies and what you’ll see in the state level is you have to be careful because you may not as a company be excluded from that state law. It may be that certain types of information are excluded or if you handle that information in a certain way. Meaning if you take data and you apply the HIPAA standards to it, maybe it’s excluded, but anything else is going to be covered and protected by that state level law. And a lot of those laws are, you’re gonna see that tracking technologies, sharing that information with a third party vendor who places a cookie on your website, for example.
That could be considered to be information which is gonna trigger additional obligations and individual right. [00:20:00]
Jenny: So definitely something to keep an eye on. And it’s it’s interesting all the different directions marketers are getting all of this guidance from. So one of our big sayings and core values at Hedy & Hop is Pivot with Positivity because tomorrow the rules are gonna change.
Drew: So I like that. Yep. I’m gonna use that if that’s okay!
Jenny: Of course. Yes. I’m happy for you to use that. Last thing I’d like to chat about with you. I know we’ve been talking a lot about covered entities because that’s what this bulletin specifically discusses. However, the FTC has recently fined GoodRX, who is not considered a covered entity.
And so whenever we’re thinking about healthcare organizations that need to be aware of how they’re handling patient data, at the end of the day, it really doesn’t matter if you’re considered a covered entity or not, right? You still need to have the same level of care and concern for the data that you’re collecting and storing, because [00:21:00] if it’s not OCR coming after you, it may end up being the FTC.
Drew: Yeah, that’s true. You, when you say concern, I know that you’re not speaking in the legal sense. And that’s great because I think it really is important for companies to care about the individuals that they collect data from, care about their rights or their privacy.
It’s important and it’s good business at this point. If you can’t take care, if you’re gonna constantly have data breaches or just be disclosing people’s information it’s at some way, at some point, not going to end well, but you do have a little, maybe a little bit more freedom or leeway than if you are not a covered entity or a business associate of a covered entity and subject to HIPAA.
But you’re right, it doesn’t mean that it’s completely free. You can’t just do anything that you want. The FTC they’re more concerned with are you complying with your [00:22:00] privacy statements. That’s one thing that you’ll see.
And one thing that you could see if you are a HIPAA covered entity or business associate you know, there, there is a case in the past where someone said they were HIPAA compliant and used a logo on their website. There’s no certifying agency for whether you were HIPAA compliant.
Jenny: Excellent guidance. Well, Drew, thank you so much for joining us today. I’ll say Hedy & Hopp really appreciates your partnership in making sure that we look at our clients’ work [00:23:00] through the correct lens. So the education and partnership has been wonderful, so thank you Drew.
And for all of the listeners, I’m gonna go ahead and link to Drew’s LinkedIn as well as his company’s website in the show notes. So if you have any additional questions or want to reach out to him, you’ll be able to find him easily. So thanks for being on today, Drew.
Drew: Jenny. It was a great time.