Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
According to a recent study by MarkUp and STAT, 49 out of 50 telehealth platforms share sensitive data in ways that may harm healthcare clients and patients. Shared information can include detailed descriptions of health issues, names, street addresses, email addresses, diagnoses, or prescription information. Responsible clinicians are likely to ask whether sharing protected health information (PHI) by telehealth companies equates to violating the Health Insurance Portability and Accountability Act (HIPAA).
Key aspects of HIPAA that might be relevant include:
- HIPAA requires covered entities (e.g., healthcare providers, hospitals, and health plans) and their chosen business associates (e.g., technology companies’ telehealth platforms) to safeguard the privacy of protected health information (PHI).
- Sharing PHI is only allowed for purposes authorized by the patient or client.
- Covered entities must only use technology platforms that offer Business Associate Agreements (BAAs).
According to the Markup and Stat report, dozens of telehealth startups send sensitive health information to “big tech” companies. Big tech companies include popular Internet advertising venues such as Facebook, Google, and Amazon for marketing purposes. The big tech companies in question do not offer healthcare, are not covered entities, and are therefore not governed by HIPAA. On the other hand, Telehealth platforms are much smaller entities that service telehealth professionals and their employers seeking to make contact with or deliver HIPAA-compliant services to consumers. They may or may not be governed by HIPAA.
Clash of the Titans?
The issue at hand is rampant in the digitization of healthcare; technology companies and healthcare professionals operate with different backgrounds and agendas. Technology companies typically operate with an overriding profit motive, while clinicians operate with an overriding service motive. Understandably, companies are taught to maximize profits and report to shareholders who insist on those profits, whereas clinicians are taught to serve the greater good, typically by serving one vulnerable person or group at a time, and report to HIPAA.
Backgrounds and agendas collide when small tech companies position themselves as go-betweens for clinicians to market services to consumers. In so doing, legal and ethical questions and possible obfuscation appear. Until the courts decide how to manage that possible obfuscation – or the marketplace makes their demand known, the problem will continue. Professionals unaccustomed to the lack of transparency typical of many Internet businesses will be left feeling duped and at risk of violating the law.
The issues surrounding the early iterations of Skype may provide an example of how easily clinicians can misunderstand undisclosed factors. Starting in 2003, Skype was the behemoth of its day, connecting people worldwide through video and text messaging. In these early years, many uninformed clinicians willfully chose Skype to connect with clients and patients, despite being informed by telehealth professionals (the author included) that Skype wasn’t HIPAA compliant. Early efforts at telehealth training went unrecognized until the national behavioral health, and other associations took a stand to expose the issue. In essence, clinicians didn’t understand or were unmotivated to pay attention to HIPAA, and technology companies were not obligated to provide the potentially worrisome facts.
As a technology company, Skype was not legally obligated to deliver more than its promised videoconferencing, but erroneous assumptions by clinicians left them legally vulnerable concerning HIPAA, which went into effect in 1996. Soon after clinicians and associations began demanding HIPAA-compliant services, Skype’s owner, Microsoft, and many other video companies began offering HIPAA-compliant video services. Microsoft developed what is today known as Microsoft for Teams, a paid service that can be configured to be HIPAA compliant. The original Skype still exists, and most professionals now understand its inappropriateness for healthcare.
Today, many video systems include providers’ profiles, broadscale consumer marketing in social media and other venues, and various back-end technology solutions to address record-keeping, billing, and much more. Newcomers to telehealth are likely unaware of the industry’s evolution or how their lack of knowledge leaves them legally and ethically vulnerable to harming the people they try to serve. The information below is offered to help the interested clinician better understand the risks and make wise choices when selecting telehealth platform providers.
How Can Telehealth Platforms Sharing PHI NOT Be Violating HIPAA?
Companies operating in highly competitive and lucrative healthcare markets are under pressure to generate profits, including profit centers that are not visible to the average Internet user. For over a decade, many telehealth platforms have had tools at their fingertips to successfully collect patient data to develop campaigns targeting website visitors on social media.
The visitor may drop into a telehealth website to look at options and pricing, then find ads for that company at the top of the list when they search for similar companies. Visitors may also be reminded of the company through “remarketing” campaigns in search engines and again when they visit their favorite social media pages, where a similar ad campaign can be qued up, automatically pointed toward them back to the original telehealth platform. These campaigns can be so precise that simple visitors receive one advertising campaign, repeat customers get another, and clients and patients who rang the cash register but discontinued purchases can get another campaign. To make matters worse, telehealth companies may also cut corners by violating visitor privacy in other ways behind the scenes, knowing that they are unlikely to get caught – until reports such as the Markup and Stat are released.
Relevant HIPAA Requirements
Early versions of HIPAA had no “teeth,” no legal consequences, and were therefore easily disregarded in the early years (1996-2013) when the push for profits overrode patient protections on the Internet.
- Today, telehealth companies can most easily avoid legal repercussions for sharing PHI by offering telehealth services without a Business Associate Agreement BAA, a written promise from a vendor to a covered entity that the vendor will follow all applicable HIPAA regulations. Clinicians working with such companies are at risk of shouldering legal responsibility for choosing inappropriate technology.
- The concern was addressed in 2013 by the HIPAA Omnibus Act, which for the first time, held covered entities responsible not only for choosing technology services that provide BAAs, but for the legal consequences of failing to do so. Clinicians were made fully responsible for choosing reputable telehealth platforms that offer BAAs.
- Given that many clinicians jumped into telehealth to serve their clients during COVID, they may not yet have enough HIPAA-related telehealth training to be aware of these nuanced requirements or the potentially serious repercussions.
How Else Are Telehealth Companies Using PHI Without Violating HIPAA?
Telehealth companies claiming to be “pass-through” entities that function much like phone companies may also make clinicians vulnerable to violating HIPAA. Although not exhaustive, the outline below of technical, sometimes hidden maneuvers that can be accomplished may help the reader understand how technology companies can easily exploit an unwitting clinician or employer:
- Obfuscation. Telehealth platform companies may offer HIPAA-compliant services but only secure some of those services. Clinicians can be offered tools for consumers to complete unsecured polls, satisfaction surveys, assessment scales, psychological tests, diaries, or webpages that ask for direct consumer input after logging in, but those web pages may not be secured. (This can be accomplished using multiple servers wherein different software is housed at different locations with different HIPAA-compliance checks on the Internet.)
- Because oversight is scarce, securing only a portion of their services is an easy way to cut corners and increase profits. Companies can easily produce HIPAA-compliance certificates for their services, but clinicians and other covered entities may remain unaware of which services are offered on which servers.
- Companies offering practice management software also may not secure the software used for such internal management. Names, addresses, and the full range of patient records can be vulnerable to hackers and other evil-doers.
- Misrepresentation. Some technology platforms offer BAAs -but do not adhere to them. Technology companies are notorious for saying one thing about adhering to their privacy policies and doing another. See Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset for a disappointing historical analysis of privacy trends on the Internet.
- Also in question with misrepresentation is the potential false assurance the technology company gives. The Federal Trade Commission (FTC) prohibits fraudulent claims on websites, including but not limited to healthcare websites.
- Telehealth platforms may also fail to properly secure remote access to systems, improperly screening employees, particularly those based in foreign countries, or adequately training employees on implementing guidelines to prevent HIPAA breaches.
Telehealth Companies May Be Disregarding Other Laws
Aside from HIPAA, Internet privacy laws require that consumers be informed and consent to how their information will be used and disclosed. This privacy issue is amplified if the company is located in California because the California Consumer Privacy Act (CCPA) requires additional consumer protections. However, some groups contend that the CCPA is toothless because enforcement mechanisms still need to be clearly defined. In many ways, technology companies may know they are violating the law, but often, these violations will go unaddressed by the authorities. In essence, for profit-only-driven companies, the marketing advantages of selling this information may far outweigh the risks of secretly sharing PHI to improve their visibility to consumers.
The issue of telehealth startups sending sensitive health information to big tech companies highlights the need for careful oversight of the telehealth industry. It also raises questions about the role of big tech companies in the healthcare industry and their potential for conflicts of interest.
What To Do Now?
If the responsible reader then gets uneasy about the answers they get when asking direct questions of telehealth companies, difficult and possibly expensive choices will undoubtedly ensue:
Does the reader keep quiet, seek legal counsel or switch to another platform?
Do they file a complaint with the Office for Civil Rights (OCR), which is responsible for enforcing HIPAA regulations in the United States?
If the reader is Canadian or a citizen of any other country, which federal department might be involved in that country?
Professionals may also wish to consider their ethical responsibilities once they learn that one or more of their vendors are tracking PHI.
Primary responsibility for privacy lies with the professional choosing a technology. Ignorance is not a defense in the face of HIPAA or any other law. It is never too late to ask the right questions. By reviewing how telehealth companies can misuse PHI, as outlined above, the adept reader can develop a detailed list of questions to ask any telehealth company.
- Ask direct questions about each software or server used to fully uncover weaknesses in a vendor’s technology stack, the mix of programs used in their websites.
- Ask all questions in writing and insist that the telehealth platform company give all answers in writing.
Although making such a decision may have negative consequences, most professionals would choose to err on the side of the greater good. In addition to considering the above options, professionals may want to:
Enable the maximum levels of security on their computers and devices and encourage clients and patients to do the same.
Take professional development training to earn CMEs, CNEs, or CE credit and contact hours for their efforts toward understanding HIPAA and telehealth requirements.
Share findings about specific companies satisfactorily, answering direct questions below. Add any other relevant thoughts, questions, or comments.
Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
PHI may be shared using a lawful BAA but only that information necessary to support provider health care operations. The information must be the minimum necessary.
Good point, Michael. Thank you.