This paper surveys the privacy and security issues facing health care providers using video conferencing applications. Stricter privacy protection for health information date back thousands of years. Why are their stricter laws in place to protect health information? Well, embarrassing health information can lead to stigmatization. Keeping health information private makes patients more inclined to reveal potentially embarrassing health information to doctors. For those reasons, privacy of health information is very important to society as a whole. This paper will start with an overview of the leading United States federal law that protects health information. Second, we will explore the increased role being played by video conferencing applications in response to the Covid-19 (coronavirus) pandemic. Then, the paper will discuss the risks health care providers should consider before using video conferencing applications.
The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is the leading U.S. federal law that governs the use of protected health information (PHI). HIPPA is enforced by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). PHI is defined as individually identifiable health information. PHI can be a persons name or a collection of information, that when used together identifies a person. The Privacy and Security Rule provisions of HIPPA, as updated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) dictates the guidelines for safeguarding electronic protected health information (ePHI). ePHI is any PHI that is transmitted or maintained in electronic media (such as a hard drive or in the cloud).
Because video conferencing applications are considered business associates of covered health care providers (health care provider), they must comply with HIPPA. The HIPPA Privacy and Security Rule applies to hospitals, health insurers and their business associates. A business associate is any person or organization working with a covered entity that handles or process ePHI. In the event of unauthorized access or disclosure of protected health information, a breach is presumed to have occurred. If a breach affects 500 or more individuals, health care providers and their business associates must notify the affected individuals, state and federal authorities.
With the world on lock down because of the coronavirus pandemic, many health care providers are turning to video conferencing applications to deliver health care to patients. The increased use of technology to provide health care is known as telehealth. Telehealth is the use of electronic information and telecommunication technologies to support and promote long-distance clinical health care. Telehealth services may be provided through audio, text messaging, or video communication technology, including video conferencing applications. Because of the coronavirus pandemic, health care providers are allowing and in some cases requiring doctors to provide consultation using video conference applications.
In its March 17, 2020 guidelines, OCR recommended Zoom Video Communication, Inc (Zoom) as a none public facing platform. A non-public facing platform is one that, as a default, allows only the intended parties to participate in the communications. These platforms are considered secure because they employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is being transmitted.â€ In contrast, Facebook Live is considered a public facing platform because it allows indiscriminate access to the communications. Importantly, the guidelines provided that covered health care providers will not be subject to penalties for violations of HIPAA that occur in the good faith provision of telehealth during the coronavirus pandemic.â€
Contrary to OCR’s guidelines, Zoom was a public facing platform. Many health care communications were breached because Zoom lacked end to end encryption, and the default settings allowed anyone with the meeting number to enter the video conference. Zoom represented to OCR that it had end-to-end encryption and secure login controls.â€ Because of that misrepresentation, Zoom has since been sued twice in federal court.
The Zoom data breaches occurred because a health care provider failed to do their due diligence and verify whether Zoom was actually a none public facing application. Health care providers must do their own due diligence before adopting any application instead of blindly listening to OCR’s recommendations. Due diligence is the process of performing a background check before using particular services. Proper due diligence would have revealed that Zoom was indeed a public facing platform. In reality, Zoom did not â€œas a default, allow only the intended parties to participate in the communications.â€ To avoid a similar fiasco, a health care provider should not adopt a video conferencing application without investigating whether proper technical safeguards are in place to protect ePHI.
While working remotely is important to contain the spread of the coronavirus, a health care provider must continue to protect health information. It has been their duty for thousands of years. It is even more important now because embarrassing health information can be shared with millions of people inadvertently from an administrative mistake or intentionally by a bad actor. Regardless of their size, this obligation does not change. Health care providers must evaluate potential risks associated with video conferencing applications and perform their due diligence before using them.
Although OCR specified that health care providers would not be subject to penalties for violations of HIPAA that occur in good faith provision of telehealth during the coronavirus pandemic. It is still a health care providers ethical duty to have reasonable measures in place to protect medical information. A health care providers failure to do their homework on a video conferencing application can be considered bad faith provision of telehealth. Failure to comply with HIPPA may result in legal fines and damage a health care providers reputation. Because of the legal and reputational risks, a health care provider should perform their due diligence before using a video conferencing application to connect with patients.
A contract between a health care provider and a video conferencing application should include an information security provision that requires end to end encryption and audit rights. Audit rights allows a health care provider to evaluate a video conferencing applications cybersecurity measure. It is crucial to be able to monitor a video conferencing application to ensure continuance compliance with HIPPA. A video conferencing applications reputation should be evaluated to gauge their information security culture. Health care providers should also require prompt notification in the event of a data breach or breach of contract.
Conducting proper due diligence will be a continuous endeavor because video conferencing applications role in the health care industry will continue to grow. Health care providers should only consider video conferencing applications with well-designed cybersecurity programs because of the significant costs associated with a data breach. Taking the precautions discussed in this paper should mitigate the risks associated with using video conferencing applications to deliver health care.