Evolving Landscape of Data Privacy
Protect your business with HIPAA-compliant digital analytics
Understanding data collection is essential
For HIPAA-regulated entities, compliance is complex–especially around digital analytics tools.
The Department of Health and Human Services Office for Civil Rights (OCR) issued a bulletin on when data shared with analytic tools may become protected health information (PHI), requiring even more advanced protection demands on regulated entities and their vendor partners in order to maintain compliance with HIPAA standards.
Determining what data is and is not PHI is fact-sensitive. HIPAA-regulated entities should audit the data shared with analytics tools to determine if it qualifies as PHI under OCR guidance. If PHI is being shared, they will need to partner with legal and compliance teams to maintain compliance, enter into a Business Associate Agreement with the analytic vendor, and determine if a HIPAA-compliant authorization from the data subject is required.
Ready to discuss your HIPAA compliance?
OCR guidance on tracking technologies at a glance
OCR warns that most identifiable information collected and transferred by HIPAA-regulated entities is likely PHI, even if the individual does not have an existing relationship with the covered entity and does not include medical details.
Additionally, when a HIPAA-regulated entity collects an individual’s information through its website, the information connects the individual to the regulated entity, indicating that the individual has received or will receive healthcare services and health benefits from the regulated entity.
How Slalom can help
HIPAA-regulated entities must examine their digital analytic tools and practices, and Slalom can conduct risk/gap analysis to help you understand compliance levels.
