Have you considered how your marketing department might be involved in HIPAA violations? Recent cases have appeared in the news where organizations allegedly engaged in improper health data sharing practices for use in advertising. Let’s look at the issue and items to consider regarding your healthcare organization’s cybersecurity strategy.
Short Background on Consumer Data Privacy
Consumer data privacy laws in the U.S. are considerably less strict than you may believe. For instance, you might notice that after you’ve been searching something online a lot, you’ll start to see some related ads pop up on your social media channels. Many websites you visit are actually collecting and storing your activity on the website and any information you input, and they’ll use it to target their ads toward a specific audience.
Data Privacy & HIPAA
As defined by the U.S. Department of Health & Human Services (HHS), “the HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes.” These controls include requiring a written authorization before using this data, or a disclosure stating that protected health information (PHI) can be used in marketing (marketing description described at the HHS website), such as in targeting pop-up advertisements.
In recent cases in the news, the healthcare organizations were allegedly using the information collected to target ads for their services. A recent study found that more than 2,500 U.S. healthcare organizations use tracking tools on their websites or patient portals.1 The organizations are now facing charges from the Federal Trade Commission (FTC) in the millions as a settlement, as the FTC has determined these practices violate HIPAA data privacy regulations.
Tech giants such as Google and Meta are facing scrutiny from organizations such as the FTC and the Office for Civil Rights. Congress also is adding pressure on these tech companies about their role in protecting PHI. Recently, legislation was proposed that would ban PHI from being collected from any source for the use of advertising without explicit consumer consent. This proposed legislation indicates an increased awareness of how consumer data is collected and used—and, in the healthcare world—a recognition that this PHI is not always protected.
What You Can Do
Consider these suggested action items when evaluating your organization’s data security practices:
- Educate yourself on your marketing department’s advertising practices—especially surrounding pop-up advertisements and data collection.
- Work with your marketing and communications department to confirm that sensitive information is not being collected and team members are trained in helping to remove data collection from appointment booking and patient portals.
- Check that your compliance department is aware of what programs are added to your sites and what they are tracking.
- Have your information security department run an automated technical scan against all your assets, including third-party managed, to look for trackers.
For assistance with HIPAA compliance, please reach out to our dedicated healthcare professionals on the IT Risk & Compliance team at Forvis Mazars.
- 1“Pressure on Meta Mounts Over Pixel Collecting Health Data,” healthcareinfosecurity.com, October 25, 2022