Doctors may face lawsuits or state actions for any patient privacy violations through use of tools such as Zoom Video Communication Inc.'s app—even after federal regulators relaxed enforcement.
The Department of Health and Human Services Office for Civil Rights (OCR) has said it won’t penalize providers for “good faith” telehealth use during the coronavirus pandemic that violates the Health Insurance Portability and Accountability Act’s Privacy Rule.
“We are empowering medical providers to serve patients wherever they are,” Roger Severino, the office director, said in a notice of enforcement discretion.
Under the notice, video apps such as Apple Inc.'s FaceTime, Facebook Inc.'s Messenger, or Google Hangouts can be used to chat with patients without first getting a business associate’s agreement, something that would be required under the HIPAA Privacy Rule. But the video apps still must protect patient data, including notes, treatments, and lab reports, under HIPAA’s Security Rule.
“The HIPAA security rule is still very much in effect and is expected to be followed,” said Kevin Coy, health and privacy partner at Arnall Golden Gregory LLP. That means apps that don’t abide by HIPAA’s physical and technical safeguards to protect patient data could still face lawsuits, or state enforcement, despite the notice.
The notice of enforcement discretion “has been relied upon way too heavily” by providers—and won’t necessarily spare them from litigation or regulatory actions, said Mark McCreary, co-chair of Fox Rothschild’s privacy and cybersecurity practice. “The ease of use of Zoom is intoxicating, which has led to some bad choices in the healthcare profession.”
Doctors Use Zoom
The privacy concerns, and reported hacking intrusions, that prompted entities including the New York City Department of Education, Tesla Inc., and the Taiwanese government to stop using Zoom also exist for doctors, attorneys and patient advocates said.
Zoom, in a statement, said “a large number of global institutions, including healthcare organizations and telemedicine practices, have done exhaustive security reviews” that led them to “confidently” select its product.
Zoom doesn’t publicly list how many health-care providers use its product. It has more than 200 million users overall, a number that has grown during the pandemic as more businesses and individuals have sought out remote connections.
Phoenix Children’s Hospital and Bayada home health care are among the providers that say, on their websites, that they use Zoom for telemedicine. Zoom also promotes partnerships with Delta Dental, Magellan Healthcare, and other medical providers.
Representatives for Phoenix Children’s, Bayada, Delta Dental, and Magellan didn’t respond to requests for comments on why they chose Zoom.
Physicians like Zoom because they see it as HIPAA-compliant, based on OCR’s and Zoom’s own assessments, easy for patients to use, and inexpensive, said Brian Scarpelli, senior policy counsel at ACT | the App Association. Zoom offers a medical video conferencing account for as little as $200 per month, according to the company’s website.
Doctors using video-conference technology, though, must use “every privacy and security tool they have available” to keep patients’ trust, the American Medical Association, the nation’s largest organization of doctors and medical students, said in a statement. Systems should have end-to-end encryption and shouldn’t store transmissions, the AMA said.
Severino said the HHS guidance for telemedicine “depends on videos not being broadcast or made available to the general public.” Providers, he said, “should make use of available privacy and security features such as requiring passwords and using encryption.”
McCreary, however, said the Zoom product lacks end-to-end encryption—at least for now. Until Zoom reconfigures the product to include that feature, it’s not truly HIPAA-compliant, he said.
Still, HHS in its notice listed Zoom as one of the services providers could use without enforcement risk.
Zoom, in its statement, doesn’t address end-to-end encryption but says its product complies with HIPAA. Zoom configures account settings differently for medical providers than for its generally-available commercial product, it said. Cloud recording is disabled, in-meeting chat and file transfer are turned off, and participant identities are not logged or reported, the company said.
Patients, however, say they feel more comfortable using apps with stricter protocols and more secure channels such as FaceTime or Microsoft Corp.'s Teams, said Cynthia Fisher, founder and chairman of PatientRightsAdvocate.org. Members of her group are voicing concerns about the Zoom app’s continued use, she said.
State attorneys general have taken note, based on consumer concerns. Connecticut Attorney General William Tong (D) has been in discussions with Zoom about their privacy and security features, “including in the health-care sector,” said Elizabeth Benton, a spokeswoman for the office. Iowa Attorney General Tom Miller (D) is “monitoring” Zoom’s privacy and security practices “surrounding telehealth” and other applications, Lynn Hicks, communications director for the office, said.
Aside from state enforcement, providers also face the risk that patients who believe a video consultation violated their privacy could sue, attorneys said. Health-care professionals have faced suits before the coronavirus pandemic for flaws tied to technology use.
“The OCR exercise of enforcement discretion only applies to HIPAA and OCR’s enforcement of it,” Coy said. “Potential plaintiffs still could sue” if they believed their personal data wasn’t being properly protected, he said.
A home health-care provider and a cloud-computing company, for example, were sued April 6 in Pennsylvania federal court after a ransomware attack allegedly harmed at least 156,409 patients. The affected patients raised claims under Pennsylvania consumer protection law citing HIPAA’s security rule. The case is ongoing.
Lawsuits also could be brought under the California Consumer Privacy Act if the security around telehealth platforms is lacking, said Thora Johnson, a partner at Venable LLP in Baltimore.
Legal enforcement waters can get muddy when video conferencing app vendors are business associates of health-care providers, Johnson said. Business associates, by law, are subject to the same patient data protection responsibilities as health providers. Tech companies under business-associate agreements, then, are subject to HHS enforcement in the event of a security failure, she said.
“It can get very tricky because the provider of the video conferencing tool may actually be in a business-associate role,” Johnson said.
For additional legal resources, visit Bloomberg Law In Focus: Coronavirus (Bloomberg Law Subscription)