DHS Bad Cookies

HHS warns cookies can be bad for your health information

Are Cookies Bad?

Not all cookies are created equally. As a self-professed chocolate cookie aficionado, I can personally attest to this. But last week, the Department of Health and Services alerted us that cookies may also be bad for our health ... information.

OK, they're obviously NOT talking about the little sugary treats we've all come to know and love, especially during the Holiday Season. They're talking about the little cookies embedded in most websites that collect your information while on the site, and in some cases, continue after you leave, and then some. Specifically, they mentioned tracking technologies including, but not limited to third-party cookies, web beacons or tracking pixels, and session replay software.

Let's take a look at this issue as a patient and how this is potentially hazardous to you as a provider.

First, as a patient (and an internet user in general), you have no idea what cookies may or may not exist on the websites you visit or what information they're collecting and how they're being used. Despite efforts by certain states and the EU to clamp down on this unfettered data collection, work still needs to be done to make it easier for all users to have more control and awareness of what's happening. For patients, they should be aware that everywhere they go and type in diagnosis questions and treatment questions, they're essentially alerting the entire internet of their inquiry and likely their own health condition.

As a provider, what does this mean to you? What if you're recommending websites to your patients that are at some point in the future found to be collecting PHI on your patients, unbeknownst to them? Do you potentially have a HIPAA violation liability for sending your patients to that site? That remains to be seen. What if the websites you're using are collecting your patient's PHI? Earlier this year MyChart was found to be using tools provided by Facebook in their architecture that were doing just that. But who uses MyChart, right? So Facebook collected protected health information on what was likely millions of users. Good thing Facebook is such a benevolent steward of our most sensitive data!

So the pickle you're in as providers is this - if you recommend a site, you may violate HIPAA. If you're using software that (without your knowledge) is using third-party tools to collect your patient's health data, you could be violating HIPAA. How do you protect yourself? The answer isn't black and white. If it were me, and I saw value in the sites I recommend for my patients, I would begin providing those recommendations in writing and add a written disclaimer that says something to the effect of this website may collect your health information and we don't take any liability for your use of the site. Obviously, this needs to be word-smithed and we don't want to provide legal advice, but you get the idea. Second, as for the websites you're using, it may be worth documenting for your own protection what information they're collecting. If it were me, I'd send those sites an email asking what information they're collecting, what they're storing, and if they're collecting any patient PHI. Honestly, like MyChart, they may not even be aware of it themselves, but at least you've demonstrated you've made an effort to document the protection of your patient's PHI.

As I said, this is not an easy situation to resolve and most of it is out of our hands as users. What's the likelihood of you or your organization getting ensnared in this web? Frankly, at this point not very high, but you need to be aware of these issues and be prepared for your patients to ask you about it.

If you want to discuss this subject in greater detail, call or email me anytime.

Jeff Mongelli

HIPAA Security Reminders

 

HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up