Originally published to TecHR on July 2, 2020 by Chris Bowen, Chief Privacy & Security Officer and Founder, ClearDATA
It’s been a tough year so far. This year was to be the year of the flying car, but now even airplanes aren’t flying! We all had high hopes for 2020, but a megavirus sucker-punched the world within weeks of lifting our glasses to a new decade. Ironically, the healthcare system took a hit as never seen in modern history. One would have thought the healthcare sector would boom with demand. Sadly, by halting “elective surgeries” due to a lack of critical supplies (like masks and ventilators), revenues plunged, and vital healthcare workers were furloughed and put out of work.
Hundreds of thousands of patients clamored for care. Quarantines required new ways of meeting patients where they were – tucked away in their homes in efforts to reduce spread. So, the Office for Civil Rights (OCR) eased some HIPAA restrictions and declared they would not impose penalties for noncompliance against providers during the COVID-19 pandemic if they leveraged telehealth platforms – even if they may not comply with the privacy or security rules. For the first time in history, this allowed healthcare providers to use popular applications that allow for video chats. These include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, Skype, or other similar services to provide telehealth care.
Privacy and security experts – myself included – have raised concerns about some of these apps. A few observations and advice follow so payers and providers can consider both the pros and cons of using video apps for care delivery during the pandemic:
- Make sure your patients consent to using these applications to deliver care.
- Review and revise your Notice of Privacy Practices (NPP) posted on your website. Make sure it includes a notice that if the patient needs to use these applications, you cannot protect the data flowing through the apps. You can only protect the information you collect directly (e.g., recording or transcribing the dialogue or video).
- Make sure your patients understand that these apps could have security and privacy issues.
- Advise the patient to be in a private room where no one can eavesdrop on the doctor/patient conversation.
- Encourage the patient to know how the app maker handles their data.
- Just because you, as a provider or payer, deliver care over an app doesn’t mean it’s a free pass from all HIPAA rules. For example, if your patient records a Zoom session and shares it with you, you have to treat that as you would other sensitive health data in the EMR.
- Remember, when providing care through these apps, you can only control the data you see and ingest. You cannot control the data flow within the app.
While I am not advocating for or against any video chat app, some risks have surfaced in each. I have highlighted a few below so you can best protect your practice and your patients during this critical time. It’s not an exhaustive list, but meant to spark your attention to patient privacy when using these apps.
When a massive population recently moved into Zoom rooms, hackers followed. Zoom bombing began, where intruders would invade the meeting, sometimes making themselves known, other times lurking. Other hackers have taken control of webcams and microphones. When you use passwords and lock meetings, you help resolve many of these concerns, but there are still bugs that can be abused to steal Windows passwords. Also, installers can be compromised with malicious code, giving someone with low-level privileges the highest level of user privileges. There are also concerns tied to recordings – storage, sharing, and consent among them – that you need to consider.
This app offers substantial security and privacy because Apple uses end-to-end encryption to protect data as it travels between two or more devices. This makes it difficult, if not impossible, to hack into your call. Even Apple cannot decrypt the call. It is not stored on their servers, is not available to government agencies, and any analytics they capture to improve the app cannot be used to identify you according to their documentation. While Apple may record and store information about who you are calling or your network configurations, it is only stored for 30 days and does not show whether the call was answered. At the beginning of last year, a bug in group Facetime did make it possible for a hacker to secretly watch you and listen without showing that they had responded to the call. Apple quickly fixed that bug.
Facebook Messenger Video
After the debacle of data compromises during the last few years, I would think many of us would not trust Facebook to keep our data private, so users, beware! Still, a billion people communicate through Facebook Messenger every day, and it does use the same secure communication protocol seen in banking and e-commerce sites. As of 2016, Facebook added a security feature called “secret conversations,” which offers an encryption enhancement similar to default features from messaging apps WhatsApp (which Facebook owns) and Signal. The messages are end-to-end encrypted, which means not even Facebook can access them. However, while these encryption options are on by default in apps like WhatsApp and Signal, users must choose to activate encryption on Facebook Messenger.
I applaud the OCR for realizing the need to have providers and patients connect in whatever way they can to speed delivery of care and help stop the spread of this vicious virus. Like any care delivery, providers and payers need to be mindful that they are protecting patients’ privacy throughout their interactions. Those that do opt for telehealth services should at the very least regularly conduct an annual Security Risk Assessment to ensure they are not compromising patient data. That’s one HIPAA mandate that’s not going to change – pandemic or not.