Is Medical Data Privacy In Jeopardy Because of COVID-19?

June 24, 2020 - 9 minutes read

Telemedicine is often touted as a remedy for at-risk patients, those in rural areas, and regions that are experiencing a shortage of physicians. Since the COVID-19 pandemic started, it has been especially helpful in keeping people healthy; being able to get in touch with your doctor while avoiding unnecessary infection risk is priceless.

As a result, the US federal government has loosened its patient privacy laws to expand telehealth access. This allows patients to immediately get in touch with a doctor and enables the government to obtain patient data quicker. But it also has long-lasting consequences on private medical data and HIPAA (Health Insurance Portability and Accountability Act) enforcement.

How COVID-19 Has Affected HIPAA

HIPAA was constructed to protect patients by regulating how providers can share and collect their personal medical information. It also places restrictions on how electronic medical records are shared and stored. If a data breach occurs, there is a set of steps that providers must take, including notifying patients about what type of information was taken in the breach. And lastly, if there are any violations of HIPAA, there are rules about penalties.

However, during this pandemic and international crisis, the Department of Health and Human Services (HHS) won’t be enforcing some of these HIPAA requirements.

Before the pandemic, doctors could only use HIPAA-compliant medical applications to conduct video consultations. It protected the patient by requiring encryption and other layers of privacy. The software vendors had to sign legally-binding contracts with the providers about how the patient’s data would be used and shared, and there was a plan if a data breach were to occur.

After the rules were temporarily changed federally, doctors have been able to use any service they want to conduct telemedicine. This includes services that many of us use to get in touch with family and friends: FaceTime, Skype, Facebook Messenger, and Google Hangouts. But completing check-ups, prescribing medication, and even diagnosing illnesses (including COVID-19) through these platforms carries some concerns.

Convenience Comes at a High Cost

Even though this may be incredibly convenient for the patient, conducting telehealth through platforms such as FaceTime and Zoom is a major risk. San Francisco-based developers such as Google, Apple, and Facebook have all come under intense scrutiny for listening in on conversations and general data privacy concerns. And not all of these services utilize end-to-end encryption.

It’s not safe to talk about private medical issues on platforms run by companies that don’t restrict their own employees from listening in on a live video conference. In fact, it’s a major HIPAA violation if it were ever revealed that the medical information was stolen, shared, or used without the patient’s consent by a third-party individual that was not given permission to do so.

Alcoholics Anonymous has been holding meetings on Zoom, but the organization, which serves to provide a sobriety program for those suffering from alcoholism, has been the victim of “Zoom bombings” already. Malicious hackers jump into the meetings and taunt alcoholics who are trying to recover and remain sober.

Zoom is a notoriously insecure software, with major vulnerabilities being reported months before the pandemic even began. In April, The Washington Post showed that Zoom’s file-naming system was weak; it was publicly publishing Zoom videos, including one-on-one therapy sessions, which were meant to be 100% private.

Sharing Medical Data Within Reason

Mark Rothstein is the Director of the Institute for Bioethics, Health Policy, and Law at the University of Louisville School of Medicine. He says that HIPAA’s health data standards of protection are lax, but that the changes were understandable to help patients gain access to telemedicine.

Before the pandemic, providers were directly responsible for their patient’s medical records. They were required to share records with health authorities, for example, if an outbreak occurred, a hospital would send data to the Centers for Disease Control and Prevention.

But with the lax laws, healthcare providers are now allowed to share patient data with “business associates.” Often, these “business associates” are third-party companies that are contracted to handle sensitive patient data.

Pam Dixon is the Executive Director of the World Privacy Forum, and she questions why these business associates have the power to turn data over to authorities in a process that the medical provider would usually handle. Due to their training, health professionals would know how to better censor their patient’s records than their business associates.

Furthermore, the data has to be used for “health oversight” reasons, and this is extremely vague and allows for data misuse. For example, it could be used to track down people who haven’t paid their child support in a while.

Enforcing HIPAA Regulations

Professor of Law and Ethics at the Georgia Institute of Technology Peter Swire worked on the guidelines of HIPAA when it was first created under the Clinton administration. He says that opening up the power to share data with third-party businesses makes sense, only if done temporarily. Because this health crisis is extraordinary, the actions that the federal government has taken are reasonable. The sharing of data with the CDC helps us track the disease more accurately.

Although provider responsibilities have changed under the new changes, patients’ rights have remained largely the same. Patients can still request copies of their electronic medical records. They also have the right to ask about how their medical data is being used.

In the past, penalties for HIPAA violations were rare. Only a few of the major medical data breaches have resulted in fines. However, the unlucky few that were fined faced a big penalty, in the range of millions of dollars, depending on how severe the breach was.

The HHS says that health care providers are still required to “act in good faith”, and they must continue to protect their patients’ data as much as possible. But, if a provider experiences a data breach, the HHS said they likely won’t be penalized during this time.

Patients Must Take Measures to Protect Themselves

The best thing we can do as patients is to force our providers to use a more secure telemedicine provider, even if it means we’re contending with an extra program on our computer. By protecting yourself during appointments, there is less of a chance of your information leaking to a third-party without permission.

And, if possible, be sure to inquire about any business associates that your provider may be sending your data to for handling purposes. Of course, it’s impossible to protect yourself during a general provider data breach, but taking steps to protect yourself during telemedicine appointments can help ease anxiety about this new technology.

Have you conducted any video consultations with your doctor? How did it go, and what platform did you use to communicate? Let us know in the comments below!

Tags: , , , , , , , , , , , , , , , , , ,