By Chris Jones
I. Introduction
COVID-19 sparked a “tsunami of growth” in the United States’ telehealth industry.[1] The Office for Civil Rights (“OCR”) Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (“Notification”) allowed medical providers to utilize telehealth platforms that fell short of The Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”) privacy requirements.[2]
Technology companies and governments have “long shown themselves to be wolves in sheep’s clothing when it comes to privacy: promising privacy while conducting widespread and illicit surveillance.”[3] A recent study determined that over 70% of medical applications shared users’ sensitive information with third-party data aggregators, without the user’s knowledge or consent.[4]
Data aggregators can use this information to potentially damage the individual financially, physically, or psychologically.[5] This data is often marketed and sold to a variety of commercial third parties including employers, advertisers, and insurers.[6] In one case, a data aggregator sold the digital health-related data of approximately 3 million individuals to an insurance company.[7]
By allowing medical providers to utilize inferior privacy measures, the risk of individual privacy harm continues to increase. Privacy injuries associated with the unauthorized use of an individual’s data may include reputational, discrimination, physical, psychological, economic, and relationship harms.[8] Thus, telehealth platforms should be required to obtain a Telehealth Privacy Certification (“Certification”) of compliance prior to public market release. This Certification would strengthen security and ensure a patient’s privacy rights are protected moving forward—regardless of what the future holds.
II. Telehealth During COVID-19
During the COVID-19 pandemic, private telehealth companies and health care systems reported an increase of telehealth use ranging from 100% to 4300%.[9] According to the Center for Disease Control and Prevention (“CDC”), 43% of medical providers had telehealth capabilities before the pandemic.[10] After the pandemic began, 95% offered telehealth.[11]
Telehealth is defined as the use of electronic information and communications technologies to deliver clinical and nonclinical health care services.[12] Telehealth communications generally consist of three types: (1) Synchronous, which involves direct communication between the provider and the patient using phone, video, or data transmission such as texting; (2) Asynchronous, which involves the storage of information for the provider or patient with the expectation the other party will review it and respond back at some point in the future; and (3) Remote patient monitoring, which involves a mix of both synchronous and asynchronous telehealth that allows the provider to monitor the patient over time.[13] Prior to the pandemic, there were many barriers to utilizing telehealth such as provider licensing, insurance approval, lack of equipment, and the overall costs of complying with HIPAA.[14] For example, extremely expensive devices were required for both the patient and physician with costs ranging from $799 on up.[15]
As telehealth appointments have become common events, patients confide in their providers as they would if meeting in person. Patients can be particularly susceptible to privacy harm when being videotaped. Typical telehealth sessions often contain a patient’s personal disclosures of “objective and highly sensitive statements of fact” that “may be inherently more revelatory” than the provider’s ordinary notes based on subjective impressions.[16] Even when complying with HIPAA, providers are free to retain archived, stored, or transmitted data from telehealth sessions.[17]
Mental health therapist Tiffany Chhuom worries about the impact of temporarily lifting privacy protections for patient data included in video or text discussions with their doctors.[18] “The ways in which these clients who are so vulnerable on video could be exploited — I don’t have the words to explain how much that concerns me,” said Chhuom.[19]
III. Legal Background
While it is generally understood that medical providers should use the highest level of standards to assure peace of mind for their patients,[20] HIPAA regulates the use of technology to transmit certain medical data at the federal level.[21] HIPAA requires covered entities to follow data privacy, data security, and data breach notification requirements when handling applicable medical information.[22]
The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) amended HIPAA in 2009 to further define the responsibilities and roles of healthcare providers and business associates.[23] The HITECH Act requires that covered entities utilize a Business Associate Agreement (“BAA”)[24] and demands that associates comply with the appropriate sections of HIPAA’s Privacy and Security Rules.[25] Absent exception, HIPAA’s Privacy Rule requires patient consent in order for a covered entity to share Protected Health Information (“PHI”) with third parties.[26] HIPAA’s Security Rule requires that covered entities utilize “administrative, physical, and technical safeguards to prevent threats or hazards to the security of electronic PHI.”[27]
Herein lies the broader issue—under the current regulation, the use of specific telehealth equipment or technology cannot ensure an entity is HIPAA-compliant.[28] Thus, the burden to utilize HIPAA-compliant telehealth platforms falls on the covered entity.[29] If a covered entity utilizes telehealth involving PHI, the entity must comply with the same HIPAA requirements that it would if the patient visited the office.[30] This requires the entity to have technical knowledge in order to conduct a thorough assessment of any potential risk or vulnerability that may affect the confidentiality or integrity of the patient’s PHI.[31] Pandemic or not, this level of technical compliance can be difficult for medical specialists to ascertain.
IV. OCR’s Notification of Enforcement Discretion
During the COVID-19 pandemic, patients across the country were asked to accept a trade-off between access to remote health care and protection of their sensitive health data.[32] In March 2020, the United States government further relaxed its already anemic privacy standards by enacting the Notification that allowed medical providers to utilize telehealth platforms, which fell short of HIPAA privacy requirements.[33] This Notification declared the OCR would not impose penalties for noncompliance with HIPAA regulatory requirements regarding telehealth during the pandemic, as long as the activities were carried out in good faith—even if the appointment was not related to COVID-19.[34] Without stringent privacy and security features employed, a telehealth appointment can have devastating effects on a patient’s employment status, insurance ratings, and personal reputation.[35]
Any non-public facing remote communication products were allowed to be utilized for medical appointments, regardless of the privacy and security features.[36] For example, this Notification allowed a provider to examine a patient utilizing a videoconferencing application on the patient’s phone.[37] Additionally, it only suggested the provider notify their patients of potential third-party privacy risks and only recommended they should utilize all encryption and privacy modes available.[38] This waiver applied to HIPAA’s Privacy, Security, and Breach Notification Rules.[39]
The OCR provided a list of potential video communication platforms that claimed to be HIPAA-compliant and were willing to enter into a BAA;[40] yet did not specifically endorse them.[41] This Notification recommended that providers concerned about additional privacy protections for their patients continue to utilize services through HIPAA-compliant vendors.[42]
For example, this Notification allowed medical providers to utilize the consumer version of Zoom for confidential telehealth visits.[43] Zoom experienced a 10-fold increase in usage since the COVID-19 pandemic began, including increased use in healthcare.[44] According to a study by Sermo, Zoom was the most common telehealth platform in use during the COVID-19 pandemic.[45]
Zoom has come under fire as a myriad of articles and lawsuits exposed its privacy flaws.[46] Zoom users encountered Zoom Bombing, which occurs when someone joins a meeting they weren’t invited to and “drops gross or disturbing images.”[47] Confidential secrets are easily revealed when random people join private videoconferences.[48] For example, online classes at UCLA were disrupted by a Zoom Bomber shouting slurs and insulting individuals.[49] Zoom Bombers have even posted pornographic content during video chats like AA meetings.[50]
As this Notification allowed for any non-public teleconferencing platform to be used,[51] the privacy issues exposed here are not unique to Zoom alone—Zoom likely only scratches the surface.[52]
This Notification of Enforcement Discretion was inadequate as it essentially stripped consumers of their right to privacy by allowing providers to utilize random videoconferencing applications with no guarantees of confidentiality or security. The importance of privacy and security concerns surrounding telehealth cannot be overlooked as medical data necessitates a higher standard of security due to its personal and sensitive nature.[53] The effects of this Notification may be felt for years or decades to come if the medical data makes its way into the hands of data brokers,[54] unscrupulous actors, or onto the Dark Web.
V. Two Years In – Where Do We Go From Here?
For the past two years, medical providers and patients have become accustomed to utilizing telehealth without the safety of regulatory oversight. As the state of emergency declarations are lifted, this compliance waiver will likely end. Covered entities will no longer be allowed to utilize whatever nonpublic telehealth modality patients have chosen, and will be required to resume utilizing only telehealth platforms that comply with HIPAA.
In October 2021, the American Medical Association (“AMA”) called on the OCR to extend this Notification for yet another year, in order to provide its members with more time to adapt to HIPAA-compliant technologies.[55] The AMA has requested that the OCR assist providers by establishing “guidance documents that specifically speak to telemedicine platforms and what HIPAA requires for use of such technology.”[56] As the AMA explained, “many clinicians are using telemedicine for the first time and may not be well-versed in the unique risks and vulnerabilities associated with the new tools they are using.”[57]
This chain of events is taking Americans’ privacy concerns even further off track. As the AMA confirmed, medical providers are not technologists and do not specialize in decrypting the intricate privacy concerns involved with third-party applications.
In order to protect both health and privacy, Congress should enact a comprehensive federal regulation to require Telehealth Privacy Certification (“Certification”), administered by the OCR, for all platforms prior to public market release. The OCR already has a trained staff of technologists currently tasked with HIPAA auditing and enforcement. Thus, the OCR should implement a new system to standardize and simplify the necessary HIPAA-compliant technological requirements for telehealth platforms and control how personal telehealth data is maintained.[58] This Certification should also implement one standardized BAA required for use with all approved telehealth platforms.
By requiring telehealth platforms to meet or exceed HIPAA regulations upfront, entities that specialize in medicine would no longer be tasked with attempting to analyze whether or not technology platforms comply with the applicable laws. Instead, medical providers can confidently focus their resources on treating patients’ health concerns—the true purpose of telehealth.
With Certification, it is possible to leverage the public health benefits of telehealth without subjecting unsuspecting patients to abusive or illicit surveillance. This long-term solution would safeguard the privacy rights of telehealth users and ensure that patients’ medical data is protected—both during a pandemic and beyond.
[1] See Marie Fishpaw & Stephanie Zawada, Telehealth in the Pandemic and Beyond: The Policies That Made It Possible, and the Policies That Can Expand Its Potential, Heritage Found. (July 20, 2020), https://www.heritage.org/health-care-reform/report/telehealth-the-pandemic-and-beyond-the-policies-made-it-possible-and-the.
[2] See Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, U.S. Dep’t Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html (last updated Mar. 30, 2020) [hereinafter Notification of Enforcement Discretion]; Telehealth and Telemedicine: Frequently Asked Questions, Cong. Research Serv. (Mar. 12, 2020), https://crsreports.congress.gov/product/pdf/R/R46239.
[3] Jake Goldenfein, Ben Green, & Salome Viljoen, Privacy Versus Health Is a False Trade-Off, Jacobin, https://jacobinmag.com/2020/4/privacy-health-surveillance-coronavirus-pandemic-technology (last visited Sept. 19, 2020).
[4] Lori Andrews, A New Privacy Paradigm in the Age of Apps, 53 Wake Forest L. Rev. 421, 421 (2018).
[5] Id. at 424.
[6] Id. at 421.
[7] Id. at 461.
[8] See Daniel J. Solove & Danielle Keats Citron, Privacy Harms, GW L. Fac. Publ’n & Other Works, 1534, (2021), https://scholarship.law.gwu.edu/faculty_publications/1534/.
[9] Fishpaw, supra note 1.
[10] Hanna B. Demeke, Sharifa Merali, Suzanne Marks, et al., Trends in Use of Telehealth Among Health Centers During the COVID-19 Pandemic — United States, June 26–November 6, 2020 (Morbidity and Mortality Weekly Report), CDC (Feb. 19, 2021), https://www.cdc.gov/mmwr/volumes/70/wr/mm7007a3.htm.
[11] Id.
[12] Telehealth and Telemedicine: Frequently Asked Questions, Cong. Research Serv. (Mar. 12, 2020), https://crsreports.congress.gov/product/pdf/R/R46239. While the World Health Organization limits the term “telemedicine to services provided by doctors,” whereas “telehealth is broader, including services from other health providers such as nurses, psychologists and pharmacists;” the terms telehealth and telemedicine are often used interchangeably. Dana Shilling, Telemedicine in the age of COVID-19, 35 Elder L. Advisory NL 1, 1 (2020).
[13] See David A. Hoffman, Increasing Access to Care: Telehealth During COVID-19, 7 J. L. & Biosciences 1, 3 (2020).
[14] See Miranda A. Moore & Dominique D. Monroe, COVID-19 Brings About Rapid Changes in the Telehealth Landscape, Mary Ann Liebert, Inc., Publishers (Aug. 14, 2020), https://www.liebertpub.com/doi/10.1089/TMJ.2020.0228.
[15] Id.
[16] Josh Sherman, Double Secret Protection: Bridging Federal and State Law to Protect Privacy Rights for Telemental and Mobile Health Users, 67 Duke L. J. 1115, 1143 (2018).
[17] See id. at 1141–43.
[18] Kate Kaye, HHS Notice on Telehealth Penalties Raises Privacy Concerns, Int’l Ass’n of Privacy Prof’ls (Mar. 20, 2020), https://iapp.org/news/a/hhs-notice-on-telehealth-penalties-raises-privacy-concerns/. Chhuom worked with the Washington State Health Care Authority to utilize digital technology in its response to the COVID-19 pandemic. Chhuom has first-hand experience with patient technology as she owns Eth Tech, a digital training firm. See id.
[19] Id.
[20] See Geoffrey Lottenberg, COVID-19 Telehealth Boom Demands Better Privacy Practices, Lexis Law 360 (July 2, 2020), https://www.law360.com/articles/1287404/covid-19-telehealth-boom-demands-better-privacy-practices-.
[21] HIPAA, Telehealth, and COVID-19, Cong. Res. Serv. (June 5, 2020), https://crsreports.congress.gov/product/pdf/LSB/LSB10490.
[22] See id. (A Covered Entity is one that is (1) A health plan, (2) A health care clearinghouse, or (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by 45 CFR § 160.103). HIPAA imposes obligations on covered entities, those that have entered into a Business Associate Agreement (“BAA”) with a covered entity, and subcontractors of covered entities or business associates. See Business Associate Contracts, U.S. Dep’t of Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html (last reviewed June 16, 2017).
[23] See Business Associate Contracts, supra note 22. (A Business Associate is a person or entity, including subcontractors, who “perform[s] functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”).
[24] A covered entity may share PHI with another entity only after a BAA has been entered into that provides “satisfactory assurances” the business will appropriately safeguard the information. Therefore, the business associates themselves are directly liable for breaches of HIPAA. See HIPAA, Telehealth, and COVID-19, supra note 21.
[25] See Leslie Lenert & Brooke Yeager McSwain, Balancing Health Privacy, Health Information Exchange, and Research in the Context of the COVID-19 Pandemic, J. Am. Med. Infomatics Ass’n (Apr. 26, 2020), https://academic.oup.com/jamia/article/27/6/963/5814212.
[26] See HIPAA, Telehealth, and COVID-19, supra note 21.
[27] See HIPAA, Telehealth, and COVID-19, supra note 21.
[28] HIPAA and Telehealth, Ctr. for Connected Health Policy, https://www.cchpca.org/sites/default/files/2018-09/HIPAA%20and%20Telehealth.pdf (last visited Dec. 18, 2020).
[29] Id.
[30] Id.
[31] Id.
[32] Goldenfein, Green, & Viljoen, supra note 3.
[33] See Notification of Enforcement Discretion, supra note 2.
[34] Notification of Enforcement Discretion, supra note 2.
[35] See Lothar Determann, Healthy Data Protection, 26 Mich. Tech. L. Rev. 229, 256 (2020).
[36] Notification of Enforcement Discretion, supra note 2.
[37] Notification of Enforcement Discretion, supra note 2.
[38] Notification of Enforcement Discretion, supra note 2.
[39] FAQs on Telehealth and HIPAA During the COVID-19 Nationwide Public Health Emergency, U.S. Dep’t of Health & Hum. Servs., https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf (last viewed Dec. 17, 2020).
[40] Notification of Enforcement Discretion, supra note 2.
[41] Notification of Enforcement Discretion, supra note 2.
[42] Notification of Enforcement Discretion, supra note 2.
[43] See Notification of Enforcement Discretion, supra note 2.
[44] Mohammad S. Jalali, Adam Landman, & William Gordon, Telemedicine, Privacy, and Information Security in the Age of COVID-19, SSRN 1, 2 (July 8, 2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3646320.
[45] Deborah R. Farringer, A Telehealth Explosion: Using Lessons from the Pandemic to Shape the Future of Telehealth Regulation, SSRN 1, 28 (Aug. 5, 2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3681070.
[46] See Ajay Chawla, Coronavirus – Covid 19 ‘Zoom’ Application Boon or Bane, SSRN (May 20, 2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3606716.
[47] Id.
[48] See Michael Goodyear, The Dark Side of Videoconferencing: The Privacy Tribulations of Zoom and the Fragmented State of U.S. Data Privacy Law, 10 Hous. L. Rev. 76, 80-81 (2020).
[49] Emily MacInnis, Students, Professors Report Multiple Incidents of Zoombombing in One Day, Daily Bruin (Oct. 11, 2020, 6:00 PM), https://dailybruin.com/2020/10/06/students-professors-report-multiple-incidents-of-zoombombing-in-one-day.
[50] Chawla, supra note 46.
[51] Notification of Enforcement Discretion, supra note 2.
[52] See Goldenfein, Green, & Viljoen, supra note 3.
[53] Mohammad S. Jalali, Adam Landman, & William Gordon, Telemedicine, Privacy, and Information Security in the Age of COVID-19, SSRN (July 8, 2020), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3646320.
[54] See WebFX Team, What are Data Brokers — and What is Your Data Worth?, WebFX (Mar. 16, 2020), https://www.webfx.com/blog/internet/what-are-data-brokers-and-what-is-your-data-worth-infographic/ (Data brokers belong to a “multi-billion dollar industry made up of companies who collect consumer data and sell it to other companies, usually for marketing purposes.” Because data brokers do not deal directly with consumers, many individuals are unaware these companies exist.).
[55] Letter from James L. Madara, MD, CEO Executive Vice President, Am. Med. Ass’n, to Lisa J. Pino, Dir., Off. Civ. Rts. (Oct. 25, 2021), https://searchlf.ama-assn.org/letter/documentDownload?uri=/unstructured/binary/letter/LETTERS/2021-10-25-Letter-to-Pino-on-HIPAA-Flexibility.pdf.
[56] Id.
[57] Id.
[58] Goldenfein, Green, & Viljoen, supra note 3.
Image source: https://labblog.uofmhealth.org/rounds/telehealth-visits-skyrocket-for-older-adults-but-concerns-and-barriers-remain