Navigating the Whiplash: How Healthcare Organizations Can Stay Ahead of Data Privacy Regulations

Whiplash. That’s the best word to describe what healthcare organizations are experiencing regarding data privacy regulations. 

It all started with the Markup’s investigation that sparked widespread panic over the use of Meta and Google ad trackers. This led to a wave of class action lawsuits, intensifying concerns about data privacy governance. 

In response, HHS released guidance on the use of online tracking technology, causing many organizations to stop all data-sharing activities. The situation escalated further when the FTC teamed up with HHS to emphasize the importance of data privacy, creating even more uncertainty. 

The American Hospital Association (AHA) then filed a lawsuit against the guidance, prompting healthcare organizations to pause their activities once again as they awaited the outcome. A small victory for the AHA in the courts was exacerbated by clickbait headlines and seemingly gave some organizations the green light to cautiously resume using web trackers.

But most healthcare organizations weren’t fooled by the clickbait headlines. The AHA court ruling was only around the proscribed combination of IP address and health context and did not touch the rest of HHS’s guidance around web tracking technology. 

Most recently, HHS decided not to appeal the AHA lawsuit ruling, but that should not change how organizations approach privacy. Paul Bond, an attorney at Holland & Knight, emphasizes that the decision to forgo an appeal should not diminish the focus on privacy in online tracking technology, stating, "HHS’s decision not to appeal will have zero impact on patient privacy."

All of this leaves healthcare organizations confused about the implications of using data in marketing. This series of twists and turns has left the industry in a state of flux, struggling to keep up with the ever-changing regulatory landscape.

The Challenge of Complying with Expanding Data Privacy Laws

Despite HHS deciding not to appeal the narrow ruling on AHA’s lawsuit, the core of HHS’s guidance about the use of online tracking technologies still applies. Consumer data like ad click ID, device ID, email addresses, and more still fall under HIPAA’s governance for covered entities. 

And even data that isn’t under HIPAA’s governance is starting to be controlled by state-level privacy laws. 

Right now, there are twenty states that have enacted privacy laws that healthcare organizations must comply with.

Most healthcare organizations that operate in any of those states must comply with both HIPAA and the state-level law. Some of those state-level laws are quite strict. 

Take Washington state’s My Health, My Data Act, for example. It explicitly targets health information and goes beyond the protections offered to consumers by HIPAA.

There’s no sign of these laws slowing down. In addition to the twenty states that have already enacted privacy laws, seventeen additional states have introduced data privacy legislation.

If that’s not enough, class action lawsuits are still wreaking havoc on healthcare organizations. These are often not because of HIPAA, or any state-level laws, but of other privacy laws like the Video Privacy Protection Act and Trap and Trace laws.

A durable data privacy solution is essential

These constant healthcare data privacy changes could lead to an unpredictable regulatory environment where what’s compliant today might be non-compliant tomorrow. 

The uncertainty could create a chaotic situation for healthcare organizations, resulting in a data management nightmare. Organizations that choose to wait risk inadvertently violating HIPAA.

Instead of waiting, a better approach is to put a durable solution in place to help you quickly adjust based on changes to HIPAA guidance (and state-level privacy laws, too). 

A durable solution involves taking control of your data by only collecting and activating first-party data through a BAA-protected platform, like Freshpaint. Taking control of your data now is your best defense over constantly evolving data privacy regulations.