As someone who has been in the "healthtech" area for several years now, none of this looks at all new to me. Am I missing something, or do companies typically play much more "fast and loose" with data than I've seen?
In my experience, you don't send data anywhere you don't have a BAA. Period, full stop.
> In my experience, you don't send data anywhere you don't have a BAA. Period, full stop.
This really depends on what you consider health data, which itself varies based on how big the marketing team is and the company's desire to obtain "growth & engagement". The below is from an EU perspective, but I'm sure the same would apply in the US.
I have been involved in a EU-based HealthTech that had the Facebook SDK (and maybe others too) in the app that fingerprinted the device and pinged Facebook on each run, without user consent nor adequate disclosure (buried in the privacy policy doesn't apply, nor was the privacy policy granular enough about the fingerprinting because Facebook itself doesn't publish any details on it).
Were they sending health data? No. But I'd argue that the simple fact that you use a health app and when you use it (and from where, derived from IP address) itself is a major breach. Of course, regardless of the healthcare context, this was also an obvious GDPR breach, but good luck getting any kind of enforcement against that given that the vast majority of apps are equally contaminated by these spyware SDKs.
I have seen a similar issue on a UK-based patient portal (the system here is so that third-parties are used to allow patients to access their government-maintained health record and schedule appointments) - full of trackers which had complete access to the page and Javascript context.
The recent guidance from the HHS[0] indicates in many cases installing Google Analytics or the Facebook SDK would be considered sending health data to Google or Facebook and therefore be considered a HIPAA violation. From the HHS[0]:
> Tracking technologies on a regulated entity’s user-authenticated webpages generally have access to PHI. Such PHI may include, for example, an individual’s IP address, medical record number, home or email addresses, dates of appointments, or other identifying information that the individual may provide when interacting with the webpage.
Does the guidance only apply to user-authenticated web pages? the article suggests 'the website' is all PHI, which I personally find to be an insane interpretation of HIPAA.
edit: I found the answer. it's pretty reasonable. basically, no, HIPAA doesn't apply there.
> Does the guidance only apply to user-authenticated web pages? the article suggests 'the website' is all PHI, which I personally find to be an insane interpretation of HIPAA.
Someone (anonymous) goes to the website and does a bunch of searches on e.g. cancer or AIDS or anything else they don't want marketing to know about. Afterwards they log in (turns out the person was an existing patient who had a login). But it's all in the same session so now you tied all that search info to a specific account and sent it to adspyware third parties. Solid HIPAA violation.
Not my field, but talking to friends in healthcare infosec, this is something that has caused them to be hit with fines in the past. Even in the absence of fines, clearly a privacy violation.
> Does the guidance only apply to user-authenticated web pages?
It depends on if there's health related information on the page. The HHS includes examples of unauthenticated pages where the guidance applies such as pages about a specific health condition or find a doctor pages[0].
Oh the other hand, maybe it should apply, considering that the website is the entry point for the user to the service and that an attacker owning that can trivially redirect the user flow - the same reason why mixed HTTP & HTTPS is considered insecure.
> This really depends on what you consider health data
Nope - because I didn't say "health data". I said "data".
> But I'd argue that the simple fact that you use a health app [...] itself is a major breach
It absolutely is. There is a hypothetical case that's often shown in HIPAA training materials that covers this: a staff member posting a selfie on social media of themselves with a celebrity in a clinical setting (e.g., a waiting room).
As far as HIPAA is concerned health information is pretty much anything associated with a patient and a provider. The definition of a provider is pretty broad, but basically all data points in an EHR or claims system are associated with a provider.
So data from a fitness tracker or what you ate last night is health related but unless it’s being fed into an EHR (and associated with a provider) then it won’t be considered covered by HIPAA.
> As far as HIPAA is concerned health information is pretty much anything associated with a patient and a provider.
Correction:
As far as HIPAA is concerned protected health information is health information associated with a patient and held by covered entities, including providers, insurers, clearing-houses, and business partners acting on behalf of other covered entities.
Particularly, health information “associated with a patient and provider” but held by someone other than a covered entity is not PHI. Particularly, any information you provide about your health and care to anyone who is not your insurer, your health care provider (and online wellness services aren’t health care providers), or a business partner acting on their behalf is not PHI.
> online wellness services aren’t health care providers
That isn't uniformly true - or, to be more precise, the line between "online wellness services" and "online mental healthcare providers" is quite blurry to the average person.
My company today is in this space. Previously I've worked for primary care clinic chains, prescription discount providers, and direct pediatric care providers.
> I have been involved in a EU-based HealthTech that had the Facebook SDK (and maybe others too) in the app that fingerprinted the device and pinged Facebook on each run, without user consent nor adequate disclosure (buried in the privacy policy doesn't apply, nor was the privacy policy granular enough about the fingerprinting because Facebook itself doesn't publish any details on it).
I'd name and shame if this was a one-off (frankly if it was I'd raise it internally and they'd fix it) but given that all apps are like this my best advice would be to avoid all "healthtech" apps to begin with and use them through a browser (with good ad-blocker) if really necessary.
I've been doing B2B IT for years, and I'm glad to hear that the tech part of the health industry takes this more seriously than the health part.
There's not a single doctor's office or hospital I'm aware of that is HIPAA compliant, and the vast majority of doctors ask us what a BAA is when we try to get one set up with them.
> There's not a single doctor's office or hospital I'm aware of that is HIPAA compliant
That mirrors my experience.
My GP has a sign-in sheet at the receptionist's desk where you have to write your name when you arrive. They put a single line through your name when you're checked in.
Worse, it's usually a notebook that's just turned to a new page every day. If you grabbed that notebook you'd have a list of everyone who visited that office for the past month or so, complete with dates and times.
It's the HHS reaffirming what the law says as written. way too many companies got loosey goosey with this stuff. The mental gymnastics we'd hear from healthcare companies "oh our legal team said it's okay to have Facebook installed here because [convoluted and totally not kosher reasoning]" was crazy when you'd review the law as written.
Startups, hospital systems, payers...doesn't matter how much resources or the company's particular compliance stance. You'd be amazed where these companies are sending data to Google and Facebook data without consent and without BAAs in place. HHS here is specifically going after larger health networks and hospital systems (typically way more compliance focused than your average healthtech startup).
It's not just start ups here. Lots of hospitals and hospital groups have trackers like Google Analytics installed on their website. From the HHS[0] in many cases this is considered sharing health information with Google:
> For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.
> Classic tale of VC-backed “startups” going the Uber/Airbnb route and deciding the established rules aren’t worth following.
As long as penalties are lower than the profits (and no execs go to jail), the rules aren't actually worth following.
Maybe the real innovation of the tech sector in the last decade is figuring out that established laws aren't actually enforced anywhere well enough so you may as well break them.
Who thinks the US will ever have a single privacy/data regulation law, or if there will be this patchwork of regulations for individual industry sectors driven by disjoint agencies?
Honestly don't know and can believe either way. Leaning towards the latter currently.
Once a state other than California (which is the devil to the right) or Texas (which is the devil to the left) have a solid law on the books, others will jump on board.
At that point, the feds will make something happen and claim that it was their idea. Then we'll have a single protection law.
Until then we'll have various agencies interpreting existing laws in the context of new technologies, which are ultimately decided via lawsuits. You know, like we have had for a decade or so.
Edit; For those of you downvoting me, could you explain why? What I said is exactly what happens with federal law. Nothing groundbreaking occurs federally until states take it up on their own.
my guess is that EU/GDPR will eventually force us to come up with something, pay attention to the area, and assert our global dominance. the way we're continuing to fight/hate China seems like the first entry point into some kind of federal data laws.
Years ago, my healthcare provider added tracking to their website - both google and doubleclick. To be clear this was adtech. I contacted them and complained.
These links loaded when getting test results, when contacting my doctor, even when providing website feedback.
Round and roune and someone finally said "the website is a convenience".
Hot on the heels of class action lawsuits against Facebook's parent company Meta and several large healthcare systems, HHS released HIPAA rules for companies collecting information about how users interact with their websites or apps.
A psychiatrist asked me to evaluate a remote video service marketed toward their profession for sessions with patients. I think it was early in the pandemic. The service promised confidentiality on the front page, etc., but was no different than any other website:
* Most importantly, and almost always overlooked, a clause in the privacy agreement that says, 'we can change the agreement at any time'. In other words, there is no agreement, there are no restrictions.
* The usual third parties, etc. obtaining the usual data.
It was alarming. I'm not sure what the psychiatrist did, but they did tell me 'everyone is using it'. Great.
As I understand it, the physician is responsible for being HIPAA compliant, but in my experience, physicians don't know much of anything about IT or computer technology or the practices modern SaaS and PaaS companies follow. I mean, the government's on board with pretending Microsoft isn't snooping every Word document made on Windows, but if Zoom has another of its Little Moments and someone breaks into a psychiatric therapy session, the psychiatrist is on the hook, and most MDs and medical Ph.Ds don't have a clue.
In my experience, you don't send data anywhere you don't have a BAA. Period, full stop.