TITLE: When Your HIPAA BAA Subcontractor Most Likely Means Well

Therapists are going to have to make an effort to educate our own BAA subcontractors about privacy.

Amongst therapists, privacy has always been paramount.

On the Internet, tracking has gone through several understandings. First, early webmasters were excited to get free website use statistics from Google Analytics. Then followed several years of tactics to effectively market ads following client computers around the Internet. Now, there is an awareness of that data as valuable in-and-of-itself.

Recently there is a new awareness that data other than name, SSI, address, & diagnosis CAN be considered PHI (Protected Health Information) when it is specific enough to ID the patient. Also when a data aggregator (tracking the same client across the Net) can obtain & combine data from multiple websites to build a composite file on the client. Browser cookies, pixels, beacons, mobile application identifiers, Adobe Flash technology, and IP address geolocation data can all be used -- in conjunction with websites visited -- to figure out specific individuals. ( See "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates" from HHS at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html )

Also growing is an awareness that this data can be used for something other than just targeted advertising -- like in the recent Washington Post story in which the Planned Parenthood website was inadvertently sending data to Facebook and others -- which in theory could be used by hostile state governments to prosecute women for their medical choices. (See "You scheduled an abortion. Planned Parenthood’s website could tell Facebook." https://wapo.st/3Nyf6sr ) (Brick & mortar stores can also contribute. See "What Walmart’s tech investments mean for workers and shoppers" https://wapo.st/3J86PeE )

Therapists are going to have to make an effort to educate our own BAA subcontractors about privacy -- especially in cases where its not clear if HIPAA laws are being broken. Especially in cases where the subcontractors -- coming from the Internet world -- might not know better.

There are the more egregious cases (like BetterHelp sharing clear PHI data) -- situations in which therapists should walk or run away from the company. (See "FTC fines BetterHelp $7.8M, alleges it shared consumers' health info with advertisers" https://www.modernhealthcare.com/digital-health/ftc-betterhelp-consumer-health-info-facebook-snapchat-advertisers )

Then there are less clear cases where we need to change the mindset of our BAA subcontractors if possible.

Many of them may not understand the evolving definition of PHI. Their marketing/webdev teams may not talk with legal. They may just put together a required data consent policy with everything in it including the kitchen sink whether or not they actually collect it to "cover themselves". This needs tuning for their HIPAA clients. They may communicate with sites for legit use known to track (like fonts.google.com which provides fonts and is used by about every webmaster on earth).

If you want to see some of the URLs that your BAA subcontractors communicate with, You can double-check them by installing Ghostery and Privacy Badger in the Firefox browser (and maybe others) and checking which connections they warn you about or block when you go to those sites. This won't tell you WHAT data is communicated, only that SOME data is communicated (and if these services think they are a security risk). Knowing what data is actually sent would require someone with expertise in a packet sniffing software such as Wire Shark.

-- Michael

--
Michael Reeder, LCPC
michael(at)hygeiacounseling.com

#psychology #counseling #socialwork #psychotherapy
@psychotherapist @psychology @socialpsych @socialwork #HIPAA #BAA #hack #datasecurity #legal #psychiatry @psychiatry #webdev #cookies #dataprivacy #security #beacons #Ghostery #PrivacyBadger #privacy #medical