Avoid these Common HIPAA Pitfalls
Staying compliant with the Health Insurance Portability and Accountability Act (HIPAA) is not always straightforward. The key to HIPAA is paying attention to the details.
In this article we’re diving into some of the common HIPAA pitfalls that digital health companies often make, which can jeopardize patient data, incur fines, and damage trust. Let's dive in!
1. Overlooking Business Associate Agreements
A fundamental aspect overlooked by digital health companies is the importance of Business Associate Agreements (BAAs). Any third-party that handles Protected Health Information (PHI) on your behalf must be bound by a BAA. This legal document outlines the permissible uses of PHI and mandates the protections that must be in place.
Think:
->Cloud Providers
->Contractors
->Third-parties
2. Improper Use and Disclosure of PHI for Care Coordination
Coordinating care across different platforms and providers has made care more efficient. However, it’s essential to remember that using or disclosing PHI for care coordination requires patient authorization, unless it falls under specific exceptions. Missteps not only compromise patient privacy but also reflect non-adherence to HIPAA's minimum necessary rule, which stipulates that only the minimum necessary PHI should be used or disclosed for a particular purpose.
Example:
If two health plans are coordinating care for an individual who has coverage under both plans, they may share PHI that pertains to that individual's care or payment for care that both plans have a relationship with. For example, if the individual had a surgery that both plans are helping to cover, information about the surgery, related treatments, and payments could be shared between the plans under the premise that "the PHI pertains to that relationship."
This stipulation helps ensure that PHI is used and disclosed responsibly and only for purposes that directly relate to health care operations, treatment, or payment, thereby protecting patient privacy while still allowing for necessary health care operations and coordination.
3. Unauthorized Use of Online Tracking Technologies
Online tracking technologies such as cookies and tracking pixels are valuable for analyzing website traffic and user behavior. However, tracking technology becomes problematic when it involves websites where PHI is accessed or transmitted. Unauthorized tracking can result in the inadvertent disclosure of PHI to third parties, violating HIPAA rules.
Think:
->IP addresses
->Device identifiers
->Interaction data (e.g., healthcare appointment booking, health questionnaires)
Avoiding these mistakes requires a thorough understanding of HIPAA. Compliance is not a one-time task but an ongoing process that evolves with your company.
Questions about HIPAA?
💎Try our curated HIPAA GPT
💎Download our free HIPAA Guide
