Podcast: Keeping an Eye on HIPAA Trends with Shannon Hartsfield

Mia McKown: Hello. This is Mia McKown, with Holland & Knight. Thank you for joining us for another episode of Florida Capital Conversations. Privacy is such a big issue. If you all are like me, I talk on my phone, and next thing I know, I'm getting an ad for something. It's become such a big deal in our society, and especially when it really matters with our protected health information. I'm so glad to have with me today my partners Shannon Hartsfield and Eddie Williams. We're going to talk a little bit about HIPAA and some of the new issues and cutting edges and things we all need to know about privacy in the healthcare arena with our healthcare information. Shannon Hartsfield, we're really lucky, Eddie, I know you'll agree she is, I mean, legit known all over the country for her expertise in this area. She has written books, and she also is very passionate about it and gets very excited about HIPAA. And it's just, it's going to be a fun conversation to learn what's going on and what we can expect coming up. So, Shannon, tell us a little bit about what's going on with HIPAA enforcement, what you see on the landscape with litigation, now that I've ordained you the guru of all things.

Overview of HIPAA Enforcement

Shannon Hartsfield: Thanks, Mia. No, we're fortunate to have Eddie Williams on as well, one of our partners here, who definitely works extensively with HIPAA also. So I hope he'll keep me honest and let me know if I trip up at all here. Something to keep in mind as we're talking about HIPAA is that there are legitimate enforcement and litigation risks if we don't comply with the requirements. Civil penalties can start, you know, in the low $100 per violation, but they can exceed $1.9 million for multiple violations of the same requirement in a calendar year. And these are adjusted for inflation. Penalty limits can be lower based on the government's enforcement discretion, but they can also add up very, very quickly if they are, there are multiple violations of different requirements.

Something to keep in mind as we're talking about HIPAA is that there are legitimate enforcement and litigation risks if we don't comply with the requirements

Mia McKown: Shannon, who enforces HIPAA?

Shannon Hartsfield: That's a great question. HIPAA is enforced at the federal level by the Department of Health and Human Services and its Office for Civil Rights. That office also deals with enforcement of certain laws regarding disabilities and anti-discrimination. But a lot of what they do is privacy and security enforcement of HIPAA. Now, if there are criminal penalties, they can refer cases to the Department of Justice and criminal penalties for violating HIPAA, for knowing violations can go as high as $250,000 and 10 years in prison, depending on what the elements of the crime are, whether it was under false pretenses, whether they were trying to get money.

HIPAA is enforced at the federal level by the Department of Health and Human Services and its Office for Civil Rights. That office also deals with enforcement of certain laws regarding disabilities and anti-discrimination.

Mia McKown: Have they really gone to jail for a HIPAA violation?

Shannon Hartsfield: There have been criminal penalties for HIPAA violations and also state corollaries to HIPAA, especially for very bad actors using medical information for things like ID theft. But I believe there's been one person who went to jail for a little while for just snooping through records. So it is a serious crime potentially. And I wouldn't worry too much about criminal penalties unless you really are a bad actor. But it's been known to happen. Something to keep in mind that there are no, HIPAA doesn't have a private right of action, so no one can go sue somebody for violating HIPAA.

HIPAA doesn't have a private right of action, so no one can go sue somebody for violating HIPAA.

Mia McKown: So if I went to my doctor's office and I found out that they had been, like they were on the phone and another patient overheard them talking about my test results, I can't sue the practice myself, the doctor myself?

Shannon Hartsfield: No. And I actually get that question a lot. You can't sue for a HIPAA violation, but you can potentially sue under some state law cause of action. If you can find some state law that you can hang your hat on to show that you were injured in some way that the courts have recognized in your particular state. But what we mostly see, what I would call HIPAA enforcement, is in the litigation context under those state law claims, and we'll talk about that more in a little bit.

If you can find some state law that you can hang your hat on to show that you were injured in some way that the courts have recognized in your particular state. But what we mostly see, what I would call HIPAA enforcement, is in the litigation context under those state law claims.

Recent Noteworthy Enforcement Actions

Shannon Hartsfield: Some recent enforcement actions by the Office for Civil Rights, the Office for Civil Rights usually investigates complaints, and for particularly egregious situations or cases where they want to make sure the public understands, you know what you need to do with HIPAA. They'll go after certain covered entities and business associates. Enforcement by the Office of Civil Rights is — I would say enforcement actions are few and far between, but they do happen. Some recent enforcement actions from this year and last year include a $75,000 settlement with a business associate that was working for some kind of covered entity because they had an unsecured server. There was a $240,000 settlement in June of 2023 with a hospital where they had security guards who were snooping in patient records. There was a $350,000 settlement in May of 2023 for another unsecured server that a business associate had. Back in December of 2022, a dental practice had to pay $23,000 to settle a claim that they had violated HIPAA by responding on social media to patient reviews. And those responses included protected health information. So if you've got a patient complaining about you on social media, you have to be very, very careful of how and whether you respond to those kinds of complaints. Even if the patient is making their information public, that doesn't mean that you can do the same in defending yourself, which isn't fair, but that's how the regulations are interpreted right now.

Even if the patient is making their information public, that doesn't mean that you can do the same in defending yourself, which isn't fair, but that's how the regulations are interpreted right now.

Eddie Williams: Hey, Shannon.

Shannon Hartsfield: Yes.

Eddie Williams: In those instances where the business associate was subject to those fines and penalties for an act that they committed, do the company entity of that business associates still need to be concerned about its HIPAA compliance program, even though the action occurred at the business associate level?

Shannon Hartsfield: That's a great question, Eddie. The government, as I said before, the Department Health and Human Services Office for Civil Rights enforces HIPAA, but the Centers for Medicare and Medicaid Services used to enforce HIPAA, and they also have some involvement in making sure that covered entities and business associates speak the appropriate computer language with respect to HIPAA and engage in standard transactions. And recent guidance, more recent guidance, from CMS has said that you are responsible for the activities of a business associate, whereas the Office for Civil Rights have a frequently asked question on its website — it's still up there — that says clearly you are not responsible as a covered entity for the actions of your business associates unless you knew or should have known of some kind of problem and you didn't take any steps to correct it. So that's kind of a gray area. I would advise clients to make sure that they take reasonable measures to make sure their business associates are going to comply with HIPAA. At a minimum, you need to have a HIPAA-compliant business associate agreement in place with them. And if you have that and they trip up, I think the risks to covered entities are fairly low. But you definitely want to consider the risks of any sort of business associate relationship. And if they do get in trouble, you want to make sure that they are correcting it. That's a great question.

I would advise clients to make sure that they take reasonable measures to make sure their business associates are going to comply with HIPAA. At a minimum, you need to have a HIPAA-compliant business associate agreement in place with them.

HIPAA's Role in Digital Privacy and Consumer Data Collection

Mia McKown: I know I stated in the beginning how kind of our phones control our life. They hear everything that we say, but we have become such a digital society between people are on Instagram, they're on Twitter and they're on Facebook. And people, they search the web for health information. Does HIPAA play any type of role in our consumer data, our digital process? I mean, I was shocked when you just said that even though someone may give you a bad review on the internet, you have to be really careful in defending yourself. And so I'm just curious how all that plays with HIPAA. I think that's very, very interesting, and it's probably changing daily as our technology changes.

Shannon Hartsfield: Yes. HIPAA has a pretty limited application or pretty limited scope. A lot of folks think anything related to health information is protected by HIPAA, and that's not the case. HIPAA only applies to health information held by what we call covered entities and their business associates and subcontractors. And covered entities only include health plans, healthcare clearinghouses and most healthcare providers, but only those healthcare providers that transmit health information electronically in connection with very specific standard transactions listed in the regulations. And those include things like billing for health claims. So most doctors and hospitals are definitely subject to HIPAA because they bill electronically, and so they engage in those standard transactions. But outside of HIPAA, there is a ton of health data floating around there that's absolutely not subject to HIPAA. A lot of medical apps collect health information. Patients can freely disclose their own information wherever they want to, and they're not subject to HIPAA. Employers in their role as employers aren't subject to HIPAA. So there are a lot of exceptions, and it's sort of counterintuitive, but a lot of health data floating out there that it doesn't have any protection at all, or maybe it's only protected under state laws. Also, the Federal Trade Commission does have jurisdiction and does enforce privacy requirements for those medical apps that I was mentioning before. If you have an app that's collecting health data, it needs to make sure that it's complying with whatever it's told the individual that it would do or not do with health data. So another enforcement action that we want to make sure we're aware of is they're giving a lot of enforcement activity by the Office for Civil Rights related to patients' rights to access to their health information. And so that's very important. If a patient wants access to their data that's used to make decisions about them, that HIPAA gives them the right to access that. In a future segment of this podcast, Florida Capital Conversations, we're going to hear more about how patients have the right to access their information electronically. Eddie Williams is going to talk to us about that. But back to some new HIPAA developments. Back in December of 2022, the Office for Civil Rights issued a bulletin that talked about an important issue relating to improper disclosures of protected health information through website tracking tools. When we go visit a website, it might have what we call on that website a pixel, a Facebook pixel or, Meta owns Facebook, so a Meta pixel. And if that pixel is installed on the website, it can track our activities. It will send a little piece of data to Facebook and let them know that we were visiting a particular site. This is sometimes used for marketing purposes. Sometimes it's used just to help a website function properly. There's a lot of technicalities with respect to website tracking tools, but the Office for Civil Rights wants people to make sure that you are not using a tracking tool vendor that is not HIPAA-compatible.

HIPAA has a pretty limited application or pretty limited scope. A lot of folks think anything related to health information is protected by HIPAA, and that's not the case. HIPAA only applies to health information held by what we call covered entities and their business associates and subcontractors.

Mia McKown: What does that mean?

Shannon Hartsfield: That means that the tracking tool vendor is willing to say that it has a HIPAA-compliant program and will sign a HIPAA business associate agreement. Some third parties that have these tracking tools like Facebook do not sign business associate agreements. And so you cannot send protected health information to those third parties without the business associate agreement in place or a patient's authorization, a HIPAA authorization that contains very specific requirements. So that's difficult to get. There are a few vendors out there that are HIPAA-compatible, but a lot of them are not. And it's my understanding that north of 90 percent of healthcare providers were using these tracking tools prior to this bulletin coming out. And a lot of times the tracking tools are simply sending the IP address of the visitor to the website. They're only sending an IP address and no other information to these third parties. They're not sending the person's name, they're not sending their email address or anything about their particular health condition. They're simply sending a signal indicating that someone with a particular IP address visited a particular web page. How can this possibly be protected health information? Well, under HIPAA, anything related to a patient's healthcare that could potentially identify them is likely to be protected health information unless the information is completely de-identified.

Some third parties that have these tracking tools like Facebook do not sign business associate agreements. And so you cannot send protected health information to those third parties without the business associate agreement in place or a patient's authorization, a HIPAA authorization that contains very specific requirements.

Mia McKown: If I'm searching for a specific kind of doctor and I access a healthcare system or a hospital system and start researching for a doctor, is that potentially protected by HIPAA from the hospital's perspective?

Shannon Hartsfield: From the hospital's perspective, because the Office for Civil Rights said that the mere fact that someone goes to a hospital's website means that they have been a patient or will be a patient or are a patient, which is actually nonsensical because they're —

Mia McKown: They obviously easily aren't familiar with my hypochondria. Every time that something happens that I immediately Google something. How do they even control that, Shannon?

Shannon Hartsfield: I think that, that was a bit of overreaching on the part of the Office for Civil Rights. You could be going to a hospital's website because you are delivering lunch to someone or you want to apply for a job. There are lots of reasons why someone would be going on a hospital's website that has nothing to do with their individual healthcare. But there are clearly some web pages where you would be visiting because you are a patient or want to be a patient, such as a web page where you would be scheduling an appointment with a cancer doctor or something like that, where you're inputting your information. If Facebook or some other third party knows that you visited that particular page, then they probably got a pretty good idea that you've got some kind of health condition. So that's the government's concern. They want covered entities to be aware of this problem and to fix it going forward.

Mia McKown: Eddie, don't you kind of think, based on kind of the things that we see and deal with the regulators, it goes back to what Shannon is saying, I know this is what, what they've said in their guidance, but in the end, it's really going to be the bad actors that are using these tracking device, tracking devices for really bad acts. I don't know from an enforcement perspective, how they can control that every single time someone accesses a hospital website, it seems like people who are using it for bad purposes is really where they're going to have to do their enforcement on. I mean, I guess we won't know until they do it, right?

Eddie Williams: I would agree. But again, you know, when you're dealing with any type of regulatory agency, you know, sometimes you have to say make it make sense. And a lot of times it doesn't make sense from a business perspective as well as, you know, just from a licensing governing regulatory perspective as well.

Mia McKown: Make it make sense is my life story. Personally and professionally. Shannon, is there anything else we need to keep in mind?

Enforcement Action for Noncompliant Tracking Tools

Shannon Hartsfield: Yes, a couple of things. If you, if you are using these tracking tools, the Office for Civil Rights is starting to send out requests to find out what different entities are doing. If you get a HIPAA complaint, they may include in their inquiry questions about your use of tracking tools. They're asking you to name any and all third party data tracking technology vendors or suppliers of web tracking services that you might be using. They want to know what applications and platforms you're using, where this third party data tracking technology is used. They want to know the details of why you are using this technology, what data you're transmitting when you engaged the third party tracking tool vendors and whether you've stopped using these vendors, and a copy of any agreements that are in place. But in terms of real enforcement and the real negative consequences of using these tracking tools, the reality is that we're seeing more and more plaintiffs' attorneys bringing class action lawsuits against covered entities that are using these tools, like the Meta pixels. They're bringing class actions not under HIPAA, because you can't sue for a violation of HIPAA, but they're bringing claims under state laws dealing with actually wiretap laws. They are saying that the tools and the recording that's done when someone visits the website is the equivalent of recording a phone conversation without permission. There are also cases brought under the Video Privacy Protection Act. If you have a YouTube video or something embedded on your website and you're telling third party trackers that someone is viewing a particular video, that can implicate the Video Privacy Protection Act, apparently. They are also bringing claims relating to use of, they're saying that an individual's health information was improperly disclosed and there's some state law that's been violated. These claims are rarely making it past the summary judgment stage, but they are very costly to defend. We're also seeing more class actions related to use of disclosure of biometric information. And there's another litigation risk relating to mass arbitration. A lot of times a website will have in its terms that any claims have to be arbitrated. Well the plaintiffs' attorneys are figuring out that they can do mass arbitration and cause a lot of havoc and expense that way. So you definitely want to make sure your website is not doing something with data that the patient wouldn't expect. If you're using chat bots or you are engaging in sort of artificial communications with patients or using website data to be an artificial intelligence tool or something like that, you want to make sure you're doing in a way that is compliant.

But in terms of real enforcement and the real negative consequences of using these tracking tools, the reality is that we're seeing more and more plaintiffs' attorneys bringing class action lawsuits against covered entities that are using these tools, like the Meta pixels. They're bringing class actions not under HIPAA, because you can't sue for a violation of HIPAA, but they're bringing claims under state laws dealing with actually wiretap laws.

Mia McKown: Are there certain disclosures or consents that they can have through their process as people access, say the chat bots or certain things that may be there, that it can provide some type of protection for an improper disclosure if they're checking a box? I mean, is that something that can be done?

Shannon Hartsfield: Unfortunately, they'd have to be checking a box that means that they are signing a HIPAA authorization, and a HIPAA authorization is an extremely long document. And it has to have very specific language in it and disclosures in it. So it would be cumbersome for a website to have a HIPAA authorization pop up where you click I agree or something like that. It could be done, but it's just cumbersome and not very user friendly. And the whole purpose of your website usually is to engage with.

Mia McKown: Make it fast, right? It kind of goes back to what Eddie said, sometimes like, make it make sense.

Shannon Hartsfield: Right, right. So that's sort of in a nutshell some of the new developments in HIPAA. We're still waiting on some proposed regulations to be finalized. Every day, state laws seem to be popping up that may or may not affect healthcare entities. So there's a lot of change in regulation of health data, and it's definitely something to keep an eye on. But that's sort of it in a nutshell today.

Mia McKown: I think it's all very, very interesting, and I'm looking forward to when the new rules come out, when they — I mean, we've been waiting for a long time on those, and maybe we can jump back on and have a conversation about some of the rules and what you, you know, on the landscape for that. But I really appreciate you sharing all this new information with us. And we thank everybody for joining us today for another interesting conversation here in our capital in Tallahassee, things that are affecting all of us. Again, thank you, Shannon and Eddie, for joining us, and I hope everybody has a great day.