What do ransomware, Yelp, and website tracking technologies all have in common? They are troubling areas of concern for HIPAA covered entities and business associates, according to one official from the federal Office for Civil Rights (OCR) which enforces the HIPAA privacy and security rules. Recently, the Executive Editor of Information Security Media Group’s (ISMG’s) HealthcareInfoSecurity.com media site, Marianne Kolbasuk McGee, sat down with Susan Rhodes, the OCR’s acting deputy for strategic planning and regional manager to discuss these issues.

We briefly summarize the discussion below, but you can access the short interview here (~10 min.). It is worth a listen.

Ms. Rhodes outlined three troublesome areas that OCR is watching closely:

• Hacking/ransomware. Obviously, this continues to be a significant problem for the healthcare sector. According to Ms. Rhodes, ransomware attacks are up 278% in the last 5 years. Developing, maintaining, and practicing an incident response plan is one important tool for dealing with these and other attacks.
• Online reviews. Negative comments made by customers/patients on popular online review services, such as offered by Yelp and Google, can be upsetting for any small business. Practitioners in the health care sector, such as physicians, dentists, etc. have to be particularly careful when responding to patient complaints on such platforms, if they respond at all. Their responses could result in the wrongful disclosure of protected health information of their patients, resulting in significant OCR enforcement actions such as occurred here and here.
• Website tracking technologies. Calling this a “hot” area and referencing OCR investigations across the country, Ms. Rhodes directed listeners to the OCR guidance on tracking technologies issued in December 2022. Specifically, she reminded HIPAA covered entities of key considerations when using website tracking technologies including, without limitation, the potential need for business associate agreements and patient consent.

Ms. McGee also inquired about areas where covered entities and business associates’ HIPAA compliance frequently falls short. Ms. Rhodes mentioned a few:

• Risk analysis – which is foundational to the policies and procedures adopted by covered entities and business associates.
• Access controls – in short, making sure employees and other workforce members at the covered entity or business associate only have access to the PHI needed to perform their job.
• Audit controls – regularly reviewing system activity, log files, etc. to identify irregular activity or potential compromises to PHI.

The HIPAA privacy and security rule continue to raise significant compliance challenges for covered entities and business associates. It is important to those that those challenges do not just exist in the physician’s office, but must be managed on line as well, including on organizations’ website.