​ Cover story two

Telehealth and Data Privacy

Important questions to ask

By Twila Brase, RN, PHN

elemedicine use skyrocketed during the Covid-19 crisis. While telehealth technologies to practice medicine were used before Covid-19 struck, virtual visits rose to nearly one million per week by the end of April 2020. Nearly 80% of cardiology, gastroenterology, pulmonology and respiratory physicians polled said their use of virtual care technology has increased,” reported Healthcare IT News on August 26, 2020.

What concerns might patients have?

Telehealth, according to the American Academy of Family Physicians, “refers broadly to electronic and telecommunications technologies and services used to provide care and services at a distance.” Telemedicine, on the other hand, is “the practice of medicine using technology to deliver care at a distance.

Telehealth includes video chat or over the phone conversations with a physician or the use of text messages, emails, and remote monitoring devices. In short, telehealth services permit clinicians to virtually enter a patient’s home to do an online examination, conduct a therapy session, or potentially to monitor a patient’s health 24/7.

After the Trump Administration issued the emergency declaration on March 13, 2020, the Centers for Medicare and Medicaid Services (CMS) expanded Medicare payments for telehealth services, permitting them to take place at any location, including private homes. Furthermore, co-payments were waived.

​The so-called federal HIPAA privacy rule is a misnomer.

While telemedicine and the use of various telehealth services offer patients, physicians and health care systems a variety of benefits—protection from Covid-19 at the clinic and providing and receiving care from the comfort of one’s home come to mind—there are risks. “At every step of the process, adverse events may occur, including diagnostic errors, technical glitches, and patient/client privacy and security violations,” reports Health Perspective. Although the issue of missed diagnoses is a very serious issue, if you google “telehealth risks” three items pop up: privacy risks, cyber risks, and compliance risks.

Privacy Risks

Privacy and security risks are real. Consider the fact that clinics do not videotape patient encounters in the exam room. The only record of the visit is the data recorded in the medical record. Thus, patients may have questions about video visits that their telemedicine consent form may not answer. For example, are practices and hospitals recording and storing these videotaped encounters? What data is being retained and how is it being used? If there’s a third-party telehealth service, like Zoom, what data does the telehealth company retain? Indeed, after CMS approved Zoom for telemedicine visits, Zoom created a “HIPAA Compliance Guide.”

The digital era has enhanced privacy concerns. Some wonder if telehealth services are compliant with HIPAA regulations. That’s a good question, but it might not be the best question.

The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not protect privacy. The so-called federal HIPAA privacy rule is a misnomer. Within the government and industry, HIPAA is considered a permissive data-sharing rule that allows for broad access to patient data without patient consent—potentially shared with 702,000 “covered entities” and 1.5 million business associates if those who hold the data (the covered entities) permit access and use. The patient has nothing to say about it, unless there’s a stronger state privacy law. Under the “state preemption” provision of HIPAA, if they exist, more-protective state laws must be followed.

​

If no state law exists, HIPAA permits a wide range of data-sharing, such as for “health care operations”—a term with a definition nearly 400 words long. It’s a list of about 65 non-clinical business activities that can use and share data without patient consent. Data can also be shared for 12 “national priority purposes,” such as public health, research, organ donation, and judicial proceedings.

HIPAA does have guidelines for telemedicine. Regarding ePHI (electronic protected health information), according to the HIPAA Journal:

•  Only authorized users should have access to ePHI.
•  A system of secure communication should be implemented to protect the integrity of ePHI.
•  A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.

However, when CMS expanded access during the Covid crisis, it loosened security requirements: “Health care providers will not be subject to penalties for violations of the Privacy, Security and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

Cyber Risks

The CMS FAQs on Telehealth and HIPAA includes a list of acceptable telehealth video platforms such as Apple Facetime, Facebook Messenger video chat, Zoom or Skype. Various texting platforms are also listed.

Cyber security remains a risk, especially on unsecured networks. Just last year, 41 million patient records were breached, according to Protenus.

 Seventeen of the top 20 largest breaches of 2019 happened through the health care provider’s data system. These breaches could dramatically increase due to the expansion of telehealth.

A study of 20 Covid-19 mobile apps conducted by International Digital Accountability Council (IDAC), a nonprofit watchdog, found some apps were sharing user data with companies like Google, Crashalytics, and Branch.io. Two apps were collecting the Android Advertising ID, an identifier used for advertising purposes.

​Coerced consent is not consent.

The IDAC study also found advertising SDK files embedded within the app’s programming. SDKs (software development kits) are third-party “packages of code and other assets that provide a specific function within an app.” The study discovered a US-based symptom checker and telehealth app, Kencor COVID-19, using Google Ads, an advertising SDK, and the Crashlytics analytics SDK.

IDAC could not conclude if the data was being shared or not, but stated the following:

“In our view, SDKs should not be present in COVID-19 apps because of the potential for these SDKs to collect personal information. The presence of these SDKs does not necessarily imply that the SDK is actively transmitting user data to third parties. Nevertheless, the use of these mixed-purpose SDKs presents a challenge and additional burden on the developer to ensure that the ad and analytics components are not being used or are disabled to prevent the inadvertent transmission of personal data to third parties.”

Amazingly, according to IDAC, two of the apps were submitting data to the CDC using unsecure lines. Although the specific content of the transmissions could not be found, researchers were able to access the user’s metadata, the mobile carrier, and the operating system of the device. Only four apps explicitly mentioned anonymization of user data but it’s unclear how the apps defined the term, or whether the data could be re-identified.

As a side note, since HIPAA permits data-sharing without patient consent, the fact that most telehealth apps are not regulated by HIPAA should not be of concern. The bigger concern is the fact that these apps share information with third parties.

Patient willingness to participate in telemedicine will depend on whether they trust that the examination and conversation taking place through cyberspace is confidential.  The key to this trust is informed consent and the right to limit the sharing and retention of their data.

​

Compliance Risks

Most states rely on HIPAA—many legislators wrongly believe HIPAA protects privacy—but Minnesota has a strong privacy law that supersedes HIPAA. The Minnesota Health Records Act limits data sharing without patient consent, and must be followed rather than HIPAA.

Unfortunately, many health care facilities in Minnesota have created coercive “single-signature” consent forms that include not only consent for treatment and billing, but for data-sharing, research, and much more. Many patients, in a vulnerable state and in need of care, are afraid to object. Some consent forms and clinic personnel, in violation of state law, tell patients they cannot object if they want treatment.

While the Minnesota law on telemedicine (M.S. 147.033) does not specifically require patient consent, it states, “A physician providing health care services by telemedicine in this state shall be held to the same standards of practice and conduct as provided in this chapter for in-person health care services.” Thus, consent is required, but it should be informed voluntary consent for data-sharing. Coerced consent is not consent.

Telehealth is another new frontier in medicine and much needed rules and regulations are evolving before our eyes. As physicians continue to incorporate telehealth into their practices, it is important for them to lend their voices to help shape new policies, especially ones insuring the fidelity of physician-patient confidentiality and data privacy.

Twila Brase RN, PHN, iis the President and Co-founder of the Citizens’ Council for Health Freedom (CCHF). She is the author of Big Brother in the Exam Room: The Dangerous Truth About Electronic Health Records and  presenter of  “Health Freedom Minute” which is  heard on more than 800 radio stations in 47 states.