With millions of Americans still under lockdown during the coronavirus outbreak, doctors have turned to telemedicine—video conferencing with patients to prescribe medication, give checkups, and even diagnose COVID-19 and other illnesses. Remote visitation technology has turned into such a necessity that some states, like Massachusetts, have taken emergency action to expand access.
To facilitate those efforts, the federal government has relaxed its rules around patient privacy. Those changes have made it easier for doctors to see patients remotely and for government agencies to obtain patient data during the crisis.
The sharing and privacy of medical data in the United States is regulated under a law called the Health Insurance Portability and Accountability Act, or HIPAA, which includes strict rules about how health care providers can collect and share personal health information on patients, limiting how electronic records are stored and shared, requiring notifications for data breaches, and setting up penalties for violations. But some HIPAA requirements won’t be enforced by the Department of Health and Human Services (HHS) for the duration of the crisis.
Under HIPAA, before the temporary rule changes, doctors could do video consults with patients only by using HIPAA-compliant vendors, which were required to use encryption or other data privacy measures. Those vendors had to sign contracts with the health care providers governing data use and protections, and to notify health care providers about breaches. Those rules are now relaxed, meaning doctors can use essentially any service they like. Among those are popular options like FaceTime, Facebook Messenger, Skype, and Google Hangouts.
This means doctors can rapidly meet patients through services they likely already use. With so many patients trying to see their doctors remotely, the change gives health care providers a quick solution.
But the adoption of software with fewer protections could raise privacy concerns. Alcoholics Anonymous meetings have already been targets of “Zoom bombings,” with malicious visitors heckling recovering alcoholics. In April, The Washington Post reported that thousands of Zoom videos, including one-on-one therapy sessions, were publicly available due to the software’s file-naming system.
Mark Rothstein, director of the Institute for Bioethics, Health Policy, and Law at the University of Louisville School of Medicine, has criticized HIPAA’s protection standards for health data as lax but said the video consultation rule changes were reasonable as “a temporary way of attempting to facilitate the use of telehealth.”
“I have a lot of problems with many of the HIPAA privacy rule provisions,” he said, “but this doesn’t really bother me.”
Sharing Patient Records with the Government
Health care providers are directly responsible for sharing records with health authorities under HIPAA. A hospital, for example, could provide data to the Centers for Disease Control and Prevention in an attempt to fight an outbreak of an illness.
But the power to share that information has now also been extended to “business associates” of health care providers—outside companies that are contracted to handle health data.
Pam Dixon, executive director of the World Privacy Forum, questioned the decision to give business associates the power to turn over patient data. Associates could have access to millions of patient records to give to officials, she said. Health care providers, recognizing the sensitivity of patient records, may take steps to shield them that their business associates may not.
While the data must be used for “health oversight” purposes, Dixon said this is a broad enough term that the data, once obtained by health authorities, could be used to track down parents who’ve failed to pay child support, for example.
“That is unheard of, it’s unprecedented, and it’s just really poor policy,” Dixon said. She recommends that health care providers be given veto power over disclosures by their business associates.
Peter Swire, a professor of law and ethics at the Georgia Institute of Technology who worked on the creation of HIPAA during the Clinton administration, said that allowing businesses to provide data directly to health authorities makes sense, at least temporarily. The crisis, he said, is extraordinary, and taking the action was reasonable under the dire circumstances. “There’s a public health emergency,” he said, “and we want to get the data to public health agencies as quickly as we can.”
Despite the changes, patients’ rights under HIPAA largely remain intact—patients have a right to copies of their electronic health records and to inquire about the uses of their information. During the pandemic, hospitals haven’t been required to meet some of those requirements, but only for a limited, 72-hour window after declaring an emergency health disaster.
Even outside of a disaster, though, penalties for violations of HIPAA are rare. In past years, only a fraction of major health data breaches have led to fines. But when they do come, the penalties can be stiff: A health care provider can face millions of dollars in fines for failing to protect patient data, depending on the severity of an incident. The recent policy changes mean health care providers can experiment with telehealth, and business associates work more closely with health authorities, with much less risk.
HHS has said that health care providers still must act in “good faith”—they can’t, for example, use the change as a pretext to collect and sell patient data. But otherwise, the agency has said that it generally won’t take action for any mishaps. The agency said care providers won’t be penalized even if one of them “experiences a hack that exposes protected health information from a telehealth session.”