What the OCR Has to Say About Data Security and Patient Privacy

Find out what the Office for Civil Rights in HSS has said about data security, patient privacy, and how healthcare providers should respond.

With so many changes from recent Supreme Court rulings, it can be confusing to know how you as a healthcare provider manage these changes.

The Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HSS) has issued new guidance to help clarify some questions that stemmed from the Supreme Court’s ruling of Dobbs vs. Jackson Women’s Health Organization.

The most encouraging guidance from OCR is their advice for providers about disclosing private medical information to third-party apps. The short answer is providers are not required to disclose private medical information.

Data security is another issue OCR advises on in their new guidance statement. Data security is something we as consumers should be thinking about. Privacy information extends beyond website browsing and is increasingly problematic from apps used on smartphones, smartwatches, and tablets. Individual apps often collect information about location and activities without the consumer understanding what data is being shared and brokered.

Data Collecting and PHI


Data collecting affects your patients when you think about it in terms of health-centered apps like period and fitness trackers. Health-centered apps collect, use and trade the consumer’s health-information data. Apps like directions, maps, and ride shares collect information like location and activity. They could also collect the date and time of your patient’s appointment.

Taking time to do a weekly or monthly check-up of privacy and location services tracking is one way to keep your data healthy and help you stay informed about the apps you use. We recommend reviewing your devices’ data and location services settings and limiting what personal information you send and store on your device. We also recommend encouraging your patients to check and maintain their device settings.

Apps that enable patient check-in also collect information about the day, time, and location of a visit. They also collect their first and last names and other identifying information. These apps are set to share information with others like law enforcement, advertisers, and data brokers (companies that specialize in collecting personal data). Checking the permission settings of “check-in” apps can limit what the app shares with others.


Shara Data Security Practices With Your Patients


Knowing what data security steps to take on personal devices is essential because HIPAA rules do not extend to the privacy and security of personal health information when it is accessed and stored on personal cell phones, watches, or tablets. The HIPAA rule applies within a healthcare setting. When PHI is created, received, maintained, or transmitted by a covered entity or business associate, then HIPAA compliance is mandatory. While you, as a provider or business associate, can not protect the privacy and security of information your patient shares on their cell phone, smartwatch, or tablet, you can share best practices with them. Share what you know about data security and motivate your patients to perform data settings check-ups on their devices.

The new HHS guidelines outline ways individuals can take to review and limit how their devices share their personal information.

The following tips are directly from the ORC guidance about better privacy and security. For more details with step-by-step actions, please read their full report:

  • Avoid, in the first place, downloading unnecessary or random apps, especially those that are “free.”
  • Avoid, when asked, giving any app permission to access your device’s location data other than those apps where the location is absolutely necessary (e.g., navigation and traffic apps). Many of the apps that resell data to data brokers don’t really need your location information.


Now is a good time for your organization to review its Security Risk Analysis with a PHI inventory and network overview. A Security Risk Analysis ensures your organization is effectively compliant. We encourage you to contact us to learn more about how PrivaPlan Associates can help you efficiently meet the challenges of our data driven world. Contact us today email or call 1-877-

Related Posts

What’s On Your Website?

The partnership combines PrivaPlan’s industry-leading guidance with Cyndelos’ AI technology to pinpoint website vulnerability and uphold website compliance.

Learn More +

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.