Editor's Note: This is the latest in an ongoing series devoted to assisting acupuncture practitioners in understanding and complying with different aspects of the Health Insurance Portability and Accountability Act (HIPAA). The first article appeared in the February 2022 issue.
In December 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin with guidance concerning the use of online tracking technologies by covered entities and business associates under HIPAA. The OCR Bulletin follows a significant increase in lawsuits and complaints about tracking technologies being embedded in healthcare providers websites and portals.
Before digging into the OCR bulletin, let's review protected health information (PHI): The HIPAA rules apply to "protected health information" (PHI) which generally includes individually identifiable health information. That is, health information that relates to the individual's past, present, or future health, health care, or payment for care, including their name, address, email, IP address, and demographic information. See full list at 45 CFR 160.103.
Tracking Technologies and Their Uses
Online tracking technology means "software or code on a website, plug-in or mobile app used to gather information about users as they interact with the website or mobile app." Examples of these tracking technologies on websites include cookies, fingerprinting, web beacons, or tracking pixels. Plug-ins and websites may use tracking technologies such as tracking codes, as well as capture device-related information. The HHS bulletin notes:
"For example, websites and mobile apps may use a unique identifier from the user's mobile device, such as a device ID or advertising ID. These unique identifiers, along with any other information collected by the website or app, enables the website owner, third-party vendor or any other entity who receives such information to create individual profiles about each app user."
Tracking technologies are embedded in websites and all kinds of plug-ins. These software tools collect visitors' valuable personal data to use or sell to marketing and research companies. This is a very common practice used by the biggest names in tech, as well as lots of companies flying under the radar.
Here's Why Tracking Technologies Trigger HIPAA
Health care providers' website or website hosting service (like GoDaddy, Web.com, SquareSpace, Hostinger, DreamHost, BlueHost, and Ionos) likely uses tracking technologies that automatically collect and share traffic data and personal information with third parties. This is not permitted under HIPAA. The OCR bulletin states:
"All such information collected on a healthcare provider's website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the data collected, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services."
So, according to the OCR, individuals with or without an existing patient relationship with the health care provider could be sharing PHI with the provider (or a third party) through its website tracking technologies. This information might include an individual's medical history, home or email address, dates of appointments, as well as an individual's IP address or geographic location, etc.
Why It Matters to Acupuncturists
Acupuncturists need to be aware that this is a HIPAA violation because data tracking on websites often captures PHI. Sites that address specific symptoms or health conditions, or that permit a visitor to search for a provider or schedule an appointment, may qualify as PHI if, for example, the visitor's email address or IP address is also captured.
HIPAA Obligations When Using Tracking Technologies
The OCR bulletin reminds health care providers that when they allow tracking technologies on their websites, they have an obligation – a "duty to act" – that assures PHI is not shared or misused under the HIPAA rules. Here is a summary of some key obligations:
What Can You Do? Next Steps
Don't feel alone if you are confused or uncertain about how to comply with the steps listed above. Health care providers usually depend on IT and data security consultants to help with compliance.
Work with your website developer or a trusted IT and data security professional to determine if tracking technologies are embedded anywhere your website. Consider migrating your website to a secure server to ensure visitors personal information is not being collected while navigating on your website.
If any of your website vendors are using tracking software on your website, then determine what, if any, ePHI is being collected or shared. Ensuring a business associate agreement is in place also will help to avoid potential impermissible disclosures of patients' private health information.
Author's Note: For more information related to this article, please visit www.patientdataprotection.com or call Matthew Fiorenza, compliance and security specialist, at 352-268-5088, ext. 4.
Over my almost 30 years in clinical practice, I have used Chai Hu Long Gu Mu Li Tang extensively for a wide array of clinical presentations ranging from chronic headaches to anxiety, insomnia, and prescription drug withdrawal symptoms if these situations fit the appropriate patterns – all with extremely positive clinical outcomes.
There’s no doubt that many of your patients visit your practice because they are in pain. And there’s certainly no doubt that curcumin from turmeric (Curcuma longa) can be incredibly effective in stopping that pain, whether due to chronic conditions like arthritis or acute pain from intensive workouts. But your patients may also benefit from curcumin for other reasons.
| Digital Exclusive
Low back pain is defined as pain the posterior superior iliac spine (PSIS), and it can be acute or chronic, localized or radiating. It is a common ailment for adults in the United States, with a lifetime prevalence as high as 65-80%. Whether or not an MRI is available to provide definitive knowledge of a structural issue, acupuncture can be an effective treatment for low back pain.
| Digital Exclusive