Tag: HIPAA

From Seyfarth Shaw LLP, by Diane Dygert:

• Employers are increasingly interested in providing wellness tools, such as apps and wearables, to enhance employee benefits. These tools, which cover various areas like mental health, physical fitness, and financial fitness, are relatively inexpensive and easily accessible.
• The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. However, this only applies to data created or maintained by a “covered entity”, usually healthcare providers or health plans. Many wellness apps are not developed by such entities, and therefore, their data may not be protected by HIPAA.
• If a wellness app is provided as part of an employer’s health plan, the underlying data collected may be considered HIPAA Protected Health Information (PHI). In such cases, the wellness vendor and the health plan must enter into a HIPAA compliant business associate agreement outlining the uses and security measures for the PHI.
• State laws may also impact the privacy of health data collected through wellness apps. Several states are passing their own privacy laws to cover health data privacy gaps in HIPAA’s scope. However, most of these laws exclude information collected in the scope of an employment relationship, and the extent of these exclusions is not yet clear.
• Employers deploying wellness apps should consider privacy implications at both federal and state levels before implementation. Failure to do so could potentially lead to privacy law liability.

From The HIPAA Journal, by Steve Adler:

• Stripe’s Non-HIPAA Compliance: Despite being compliant with various US and international data privacy regulations, Stripe is not HIPAA compliant. This is due to its method of recording personal data within transaction data, which is then used for fraud detection and shared with third-party payment providers, some of which have questionable security and privacy practices.
• Payment Processing Exemption: Stripe can process payments without violating HIPAA because of an exemption provided by the Social Security Act (§1179), which excludes financial transactions from HIPAA’s Administrative Simplification Regulations. However, this exemption only applies to payment processing and not to other activities, such as fraud detection, without a Business Associate Agreement (BAA) in place.
• Stripe’s BAA Limitation: Stripe cannot enter into a BAA with HIPAA covered entities and business associates because some of its third-party payment providers, like Coinbase and PayPal, will not enter into a BAA with Stripe. This makes Stripe non-HIPAA compliant.
• Stripe’s Global Compliance: As a global payment processing platform, Stripe must adhere to various consumer protection regulations and licensing requirements worldwide, leading it to restrict or prohibit certain types of business activities, including collecting payments for certain healthcare services.
• Violating Stripe’s Terms and Conditions: If a business violates Stripe’s Terms and Conditions, which include a list of restricted business activities, Stripe can immediately terminate access to its payment processing platform. Therefore, businesses considering Stripe should thoroughly review its Terms and Conditions and related documentation to understand their obligations.

From Taft Stettinius & Hollister LLP, by Ike Willett & Cory Brennan:

• On December 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group following a phishing attack that affected the PHI of approximately 34,862 individuals.
• This marks the first settlement OCR has resolved involving a phishing attack under HIPAA Rules, and comes just weeks after another settlement with a Massachusetts medical management company for a ransomware attack affecting 206,695 individuals.
• These settlements serve as a reminder for all health care entities to regularly review and update their risk analysis, implement audit controls, utilize multi-factor authentication, and provide ongoing workforce training to mitigate the impact of cyber-attacks.
• In addition to a $100,000 settlement, the agreement with the medical management company requires them to operate in accordance with a Corrective Action Plan (CAP) for three years, which includes updating their risk analysis and implementing security measures.
• The health care industry continues to be a prime target for cyber threats, with a significant increase in reported breaches involving hacking and ransomware. Organizations should seek qualified legal counsel and regularly review their compliance practices to prepare for potential breaches or regulatory investigations.

From Security Boulevard, by Chantel Rodrigues:

• Tracking pixels are tiny, invisible images or code snippets embedded in web pages, emails, or mobile apps. They can be used for legitimate purposes, such as monitoring website traffic, measuring user engagement, and improving user experience.
• They can also lead to data leakage and privacy breaches, which can constitute HIPAA violations if they compromise patient privacy or security.
• Identify all pixels and trackers on your web pages and remove the ones that are unnecessary or could be reading sensitive data.
• Implement JavaScript security controls throughout both the development and Application Security (AppSec) lifecycles.
• If you do use tracking technologies, ensure they only use and share protected health information (PHI) following HIPAA Privacy Rule guidelines.
• If you use technology vendors, establish a robust business associate agreement (BAA) to protect PHI.