The world changed when the pandemic came upon us, and so did healthcare. Telehealth visits with our care teams were available, but not as prevalent as they are now. We could message our doctors via secure patient portals or call a nurse and ask for advice. However, with the introduction of video, as well as new devices and apps, how is our privacy as patients affected?
Additionally, recording these visits for our own personal use to listen to later and/or share with family members and caregivers may come into play just as if it were a regular in-person visit. But is this legal? Each state has its own statute that varies on whether one or two parties must consent (single-party vs. all-party jurisdictions). As of 2020, 39 out of 50 states as well as the District of Columbia are single-party jurisdictions where only one party has to consent. The remaining 11 states (California, California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, and Washington) require both the patient and the healthcare provider to consent, and failing to ask for permission is considered a felony. Additionally, HIPAA does not extend to any recordings made by the patient.
What about the use of apps? There are more than 300,000 health-related apps on the market today, with a 37% increase in usage since the pandemic began, especially in the area of mental health. With apps for everything from tracking our weight and heartbeat to counting the number of steps we take and the hours of sleep we get, it’s hard not to interact with one of these apps to streamline our lives and make them a little simpler. When it comes to the collection of data, however, how do we know what’s protected under HIPAA? Covered entities under HIPAA include healthcare clearinghouses, most healthcare providers, and health plans. However, if an organization is creating an app on behalf of a covered entity (or one of the covered entity’s contractors), they are considered a business associate, meaning they must comply with HIPAA rules and regulations. This helpful website provides different scenarios on whether or not an organization would be covered. This means that we, as patients, must be cautious in what types of data are being collected and how it might be used, which can usually be found in an app’s privacy agreement or policy.
This also extends to use of wearable devices, including FitBits, Apple Watches, glucose monitors, and biosensors that collect patient-generated health data. According to a Gallup poll conducted at the end of 2019, 19% of U.S. adults wore a wearable fitness tracker, and a 2019 Washington Post article reported more than 3 million consumers wore a medical alert device. But how is this data regulated? When we collect data for our own purposes, the data does not fall under HIPAA regulations. However, should a healthcare provider ask a patient to submit data from that device and integrate it into their organization’s EHR system, a covered entity, it becomes protected by HIPAA.
In conclusion, is telemedicine safe? The quick answer is yes and no. In an article released by the Patient Safety Network of the Agency for Healthcare Research and Quality, two physicians noted that “Studies have shown that telemedicine promotes continuity of care, decreases the cost of care, and improves patient self-management and overall clinical outcomes.” However, new technologies present new challenges that have to be worked through. This means that more research needs to be conducted and improvement processes be put in place to ensure protection of patient data. In the meantime, here are some safeguards healthcare organizations may put into place to establish peace of mind for patients:
- Be aware of updates from the OCR related to HIPAA
- Train providers and staff on policies, practices, and protocols for using telehealth services
- Make sure that your telemedicine portal confirms the security of patient data through the use of incident reporting, monitoring of security events, and strong levels of encryptions
- Have a strong authentication method, preferably two-factor
- Create a detailed audit log of user logins and meeting connections
Carly Flumer is a young woman who was diagnosed with stage I papillary thyroid cancer at the age of 27. She recently received her Master’s degree from Boston University in Health Communication and received her Bachelor’s from George Mason University in Health Administration and Policy. While being diagnosed with the “C” word at such a young age was a surprise, as it would be to anyone, she found strength, support, and inspiration in sharing her cancer journey on social media. As a result of her health outcome, she looks to advocate for other cancer patients through education, research, and health literacy.