You know when you go to your health care provider the first time and they make you sign that form about HIPAA? If you’re like many people, you probably didn’t take the time to read it all the way through. But HIPAA—which stands for Health Insurance Portability and Accountability Act—is actually a really important law that protects your privacy, among other things.
Under the Privacy Rule in HIPAA, health care providers are required to protect and secure your Personal Health Information (PHI). And under the Security Rule, providers are required to put both physical and technical safeguards in place to make sure your health information isn’t shared with people it shouldn’t be.
In a physical medical office, the steps to being HIPAA-compliant are known and fairly straightforward. For example, your provider shouldn’t leave your chart sitting open in the hallway of their office where anyone could see it. But with the introduction of telemedicine, health care providers have had to figure out different ways to make sure you—the patient—are protected, even when technology is involved.
So what does that look like, and is your privacy really protected when you use telehealth? The first thing to know is that telehealth providers, like in-person medical providers, are bound by HIPAA. That means they’re required to protect your personal medical information from getting into unauthorized hands—and that includes digital ones.
Dr. Alex Pastuszak, chief clinical officer of the telehealth company Vault, tells Bedsider that his company has strict guidelines that require providers to only access PHI inside of HIPAA-compliant platforms. They also take additional steps—including verifying the patient’s identity and making sure they’re in a private area before connecting—to protect their patients’ privacy.
But while Vault utilizes both technological and physical protections, according to HIPAA Journal, many providers think that being HIPAA-compliant starts and stops with making sure communication is direct between the physician and the patient. In other words, as long as no one else is in the room, you’re good to talk via videoconferencing.
The problem with that perspective is that not all videoconferencing technologies are encrypted and secure. Standard Zoom (like the one you probably use for work), for example, was criticized early in the coronavirus pandemic for their somewhat lax security measures. One issue was that uninvited users—nicknamed “Zoom bombers”—were able to jump in and out of Zoom conferences.
While Zoom quickly closed that security gap—and they also offer a separate, HIPAA-compliant platform called Zoom for Healthcare that is utilized by many, if not all, providers—the fact that it existed at all highlights the fact that not all video call services are created equal. And the same goes for text and email communications. Basically, if a company isn’t able to provide a record of how they protect patient data, then it shouldn’t be used for telehealth services, according to HIPAA.
“Using secure communication and patient data tools is essential in maintaining HIPAA compliance via telehealth,” Dr. Pastuszak says. “Furthermore, working with vendors who take privacy and security issues seriously and obligate themselves to proper compliance is also key to protecting communications and data.”
If you’re trying to figure out if your health care provider is using a secure form of communication, pay attention to the tools they’re using. They shouldn’t be communicating via regular text message or FaceTime or any other consumer-facing video conferencing or messaging service. Instead, providers should be using tools that are HIPAA-compliant and that they’ve ensured are secure and encrypted. Dr. Pastuszak also recommends giving your provider’s Notice of Privacy Practices a close read, as all of their HIPAA-related information should be available there.
If you’re not sure whether or not your telehealth care provider is taking steps to protect your privacy, don’t hesitate to ask them. Some questions to include are:
- “Is the videoconferencing app we’re using HIPAA compliant?”
- “How do you protect patient data from unauthorized access?”
- “Are our messages encrypted?”
- “Are you using your own technology or are you using a consumer-facing tool?”
- “How does your company ensure that you’re in compliance with HIPAA during telehealth visits?”
There’s one exception to this rule and that’s for health care providers who are newly or temporarily providing telehealth services during the coronavirus pandemic. The Department of Health and Human Services has released a notification that says that HIPAA rules for telehealth are being eased up during this public health crisis. That means providers can use less secure tools to communicate with patients right now because the general health of the entire population is more important than privacy at this exact moment. We’ll see what happens as the pandemic progresses, but it’s possible that the rules could change again or go back to how they were before. Either way, you can still ask the questions above to find out what your provider is doing to protect your privacy.