Medical Privacy Gets Complicated as Doctors Turn to Videochats
Health comes first, privacy experts say, but when you have a choice, it's best to use a service that complies with HIPAA
Ash Bowen M.D., a urologist with the University of Oklahoma Health Sciences Center in Edmond, started rescheduling patients' appointments on March 18.
To slow the spread of coronavirus, the university said that essential procedures could still be carried out in person, but any other appointments had to be put off until June or conducted remotely. “We got about a week heads-up,” Bowen says.
The university has a contract with a telemedicine service called Amwell to let doctors videochat with patients. The software is built to protect medical privacy and security, but some patients ran into difficulties using it. Bowen felt compelled to turn to other services, even if they weren't set up for healthcare. "For those who had trouble," he says, "we had to use Skype and Zoom."
Doctors attached to a large hospital, like Bowen, are likely to already have an arrangement with a telemedicine provider. These services meet strict privacy and security guidelines laid out by HIPAA, the Health Insurance Portability and Accountability Act.
Services That Comply With HIPAA
The Department of Health and Human Services Office for Civil Rights (OCR)—that’s the agency charged with enforcing health privacy rules—provides a short list of video conferencing services that say they’re HIPAA-compliant. The list may not include every service:
- Amazon Chime
- Cisco Webex Meetings and Webex Teams
- Google G Suite Hangouts Meet
- Skype for Business and Microsoft Teams
- Spruce Health Care Messenger
- Zoom for Healthcare
To follow HIPAA, a teleconferencing service needs to sign a “Business Associate Agreement,” or a BAA, with the healthcare provider who wants to use it. The service needs to guarantee that it will follow the same kinds of privacy rules a doctor would.
Personal health information, whether it's videos or electronic medical records, needs to be encrypted to limit access to only the patient, the healthcare provider, and other authorized people. A teleconferencing company can't share any identifiable patient data for purposes healthcare providers haven't approved, and it needs to undertake security audits to make sure their data is well protected.
“HIPAA ensures a level of accountability,” says James Koons, a founding partner at the consulting firm Data Privacy & Security Advisors. Businesses that sign BAAs and then break the rules can be liable for civil and criminal penalties. Businesses also need to report significant data breaches and make information about their practices available to the Department of Health and Human Services.
The rules don't apply to typical video conferencing services meant for consumer or corporate communications.
“The priority at this moment, with this crisis, is to make it as easy as possible for people to get to healthcare where they are on the devices that they have,” says Roger Severino, director of the OCR, in discussing the agency's decision to relax the rules. “We're taking these steps to be as flexible and nimble as possible.”
But the agency says services designed for shared broadcasts—like Twitch, Facebook Live, and TikTok—still aren’t allowed or appropriate for telemedicine.
What You Can Do
Your doctor should be able to tell you whether a service he or she is suggesting is HIPAA compliant, but Koons says a quick visit to a company’s website can help clear things up as well.
Koons says services that make the effort to comply with HIPAA usually go out of their way to explain the procedures they follow. For instance, a long document on GoToMeeting’s telehealth services website provides details about technical safeguards like encryption and how the app is configured to keep calls private.
On the other hand, Koons says you shouldn't rest easy just because you see the word "HIPAA" somewhere on a website. Some companies that aren't legally obligated to follow health privacy guidelines use the phrase "HIPAA compliant" for marketing purposes.
Technically, such a company might be complying with HIPAA; that's easy if they aren't covered by the law at all. Imagine a bag of apples labeled "gluten free" and you get the idea.
Adding a layer of confusion, some companies offer some products that are HIPAA-compliant and others that aren't. Examples include Google, GoToMeeting, Skype, and Zoom. (The consumer version of Zoom has been beset by privacy concerns, but a Zoom spokesperson says the HIPAA-compliant product has much stricter protections.)
Bowen, the Oklahoma urologist, eventually found a work-around that was both HIPAA-compliant and easy for patients to figure out. Doxy.me, a service built for telehealth communications, offers a free version that doctors can set up in a matter of minutes, and patients don’t need to download special software.
You can ask your provider to set up Doxy.me or another HIPAA-compliant videoconferencing service, but that's not always possible.
But if you and your doctor don't need to see each other during a consultation, a spokesperson at the American Medical Association offers a simpler solution: “Patients can speak to their physicians via telephone." It's old-fashioned—and private.