Tracking technology has become increasingly prevalent in various industries, including healthcare. It allows organizations to collect and analyze data about user interactions with their websites and applications. However, the use of tracking technologies in healthcare has raised concerns about privacy and security. One recent example of a data breach involving tracking technology is the case of Kaiser Foundation Health Plan, which disclosed a breach impacting 13.4 million current and former plan members.
Kaiser Foundation Health Plan, one of the largest healthcare organizations in the United States, discovered the breach during a routine investigation. The investigation revealed that certain online technologies previously installed on Kaiser’s websites and mobile applications may have transmitted health data to third-party vendors, including Google, Microsoft, and X (formerly known as Twitter).
The information exposed in the breach includes members’ names, IP addresses, and details about how patients use the applications, such as search terms used in the health encyclopedia.
This breach is significant not only because of the large number of individuals affected but also because it is the largest data breach reported to the HHS Office for Civil Rights so far in 2024. It highlights the need for healthcare organizations to carefully consider the use of tracking technologies and ensure that appropriate safeguards are in place to protect patient data.
New Guidelines from the Department of Health and Human Services
In response to concerns about the use of tracking technology in healthcare, the Department of Health and Human Services (HHS) has issued guidelines to clarify the obligations of covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies.
The HHS Office for Civil Rights (OCR) bulletin emphasizes that regulated entities must take steps to protect electronic protected health information (ePHI) when using tracking technologies. It explains what tracking technologies are, how they are used, and the potential risks associated with their use. The bulletin also highlights the importance of complying with the HIPAA Rules to ensure the privacy and security of health information.
The OCR has previously warned hospitals and telehealth providers about the privacy and security risks of online tracking technologies. In letters sent to approximately 130 hospitals and telehealth providers, the OCR and the Federal Trade Commission (FTC) expressed concerns about the use of tracking technologies that may impermissibly disclose consumers’ sensitive personal health data to third parties.
The guidelines from the HHS OCR provide clarity on the requirements under HIPAA for the use of online tracking technologies. While the guidelines acknowledge the potential benefits of tracking technology in improving websites and patients’ access to care, they emphasize the need for regulated entities to ensure that the use of tracking technologies does not result in impermissible disclosures of personal health information or other privacy rule violations
Conclusion
The data breach at Kaiser Foundation Health Plan highlights the importance of addressing privacy and security concerns associated with the use of tracking technologies in healthcare. The breach, which impacted millions of plan members, has prompted regulators to reconsider the use of tracking technologies in the industry.
The Department of Health and Human Services, through the HHS Office for Civil Rights, has issued guidelines to clarify the obligations of covered entities and business associates under HIPAA when using online tracking technologies. These guidelines emphasize the need to protect electronic protected health information and ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Additional guidance, policies, training and resources are available at Taino Consultants Inc. and EPI Compliance websites.
As healthcare organizations continue to leverage tracking technologies for various purposes, it is crucial for them to prioritize patient privacy and security. By implementing appropriate safeguards and adhering to regulatory guidelines, healthcare organizations can mitigate the risks associated with tracking technology and maintain the trust of their patients.