Embracing Telehealth: Protecting Our Data in a Medical Revolution

The world changed when the pandemic came upon us, and so did healthcare. Telehealth visits with our care teams were available, but not as prevalent as they are now. We could message our doctors via secure patient portals or call a nurse and ask for advice. However, with the introduction of video, as well as new devices and apps, how is our privacy as patients affected? 

Telehealth can be defined as “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration.” The majority of us have now had a telehealth visit with one of our doctors via video or phone. They have seen into our lives at home, and we may have seen into theirs. While this can make for a personal, more intimate encounter, we also have to think of privacy. According to the Department of Health and Human Services, the Office of Civil Rights (OCR), which is responsible for enforcing Health Insurance Portability and Accountability Act (HIPAA) regulations, “will not impose penalties for noncompliance with the regulatory requirements …against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” What this means is that providers may use video-conferencing services, including Zoom, Apple Facetime, Skype, etc., without risking noncompliance under HIPAA. Therefore, it is up to the patient to review the privacy policy(ies) of the software being used. 

Additionally, recording these visits for our own personal use to listen to later and/or share with family members and caregivers may come into play just as if it were a regular in-person visit. But is this legal? Each state has its own statute that varies on whether one or two parties must consent (single-party vs. all-party jurisdictions). As of 2020, 39 out of 50 states as well as the District of Columbia are single-party jurisdictions where only one party has to consent. The remaining 11 states (California, California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, and Washington) require both the patient and the healthcare provider to consent, and failing to ask for permission is considered a felony. Additionally, HIPAA does not extend to any recordings made by the patient. 

What about the use of apps? There are more than 300,000 health-related apps on the market today, with a 37% increase in usage since the pandemic began, especially in the area of mental health. With apps for everything from tracking our weight and heartbeat to counting the number of steps we take and the hours of sleep we get, it’s hard not to interact with one of these apps to streamline our lives and make them a little simpler. When it comes to the collection of data, however, how do we know what’s protected under HIPAA? Covered entities under HIPAA include healthcare clearinghouses, most healthcare providers, and health plans. However, if an organization is creating an app on behalf of a covered entity (or one of the covered entity’s contractors), they are considered a business associate, meaning they must comply with HIPAA rules and regulations. This helpful website provides different scenarios on whether or not an organization would be covered. This means that we, as patients, must be cautious in what types of data are being collected and how it might be used, which can usually be found in an app’s privacy agreement or policy. 

This also extends to use of wearable devices, including FitBits, Apple Watches, glucose monitors, and biosensors that collect patient-generated health data. According to a Gallup poll conducted at the end of 2019, 19% of U.S. adults wore a wearable fitness tracker, and a 2019 Washington Post article reported more than 3 million consumers wore a medical alert device. But how is this data regulated? When we collect data for our own purposes, the data does not fall under HIPAA regulations. However, should a healthcare provider ask a patient to submit data from that device and integrate it into their organization’s EHR system, a covered entity, it becomes protected by HIPAA. 

In conclusion, is telemedicine safe? The quick answer is yes and no. In an article released by the Patient Safety Network of the Agency for Healthcare Research and Quality, two physicians noted that “Studies have shown that telemedicine promotes continuity of care, decreases the cost of care, and improves patient self-management and overall clinical outcomes.” However, new technologies present new challenges that have to be worked through. This means that more research needs to be conducted and improvement processes be put in place to ensure protection of patient data. In the meantime, here are some safeguards healthcare organizations may put into place to establish peace of mind for patients: 

  • Be aware of updates from the OCR related to HIPAA 
  • Train providers and staff on policies, practices, and protocols for using telehealth services 
  • Make sure that your telemedicine portal confirms the security of patient data through the use of incident reporting, monitoring of security events, and strong levels of encryptions 
  • Have a strong authentication method, preferably two-factor 
  • Create a detailed audit log of user logins and meeting connections