Update to HHS' Controversial Web Tracker Guidance Offers Little Practical Relief, Legal Experts Say
Data Strategy, Security and Privacy attorney Paul Bond was quoted in a Fierce Healthcare article, describing the new complexities facing healthcare organizations due to updated guidance on HIPAA compliance and third-party web trackers. He highlighted how the guidance places an ambiguous burden on entities to discern when a website interaction constitutes the creation of Protected Health Information (PHI). Mr. Bond illustrates the confusion with the example that a website visitor accessing oncology materials could either be creating PHI or not, solely based on their status as a patient or researcher.
“Under OCR’s guidance, a user accessing oncology materials on a healthcare website is creating PHI if they happen to be a patient, and is not creating PHI if they happen to be a researcher. And if a third-party tracking technology is present on that oncology section of the website, it both does and does not concern HIPAA, depending on circumstances unknown and unknowable to the covered entity. OCR has created Schrödinger’s Website User," he said.
READ: Update to HHS' Controversial Web Tracker Guidance Offers Little Practical relief, Legal Experts Say