Data privacy is already a popular topic among lawmakers and, given the explosive growth of telemedicine in the past several years and the relative lack of privacy enforcement during the Covid-19 public health emergency (PHE), patient data privacy will soon be a top priority for regulators reviewing the practices of tech-enabled health-care services companies, particularly telemedicine and digital health.
During the PHE, Department of Health and Human Services Office for Civil rights announced that health-care providers will not be penalized for HIPAA violations occurring in the good-faith provision of telemedicine services. This flexibility prompted telemedicine providers to avail themselves of communications technology (e.g., FaceTime, Google Hangouts) not previously used for health care or vetted for HIPAA compliance.
Alongside the use of these (often less-secure) platforms, health tech companies have increasingly looked to patient data as an asset, by building data lakes and data mining programs at a scale never before seen in health care.
Concurrently, the rise of “patient as consumer” has led telemedicine companies to draw on e-commerce principles to create a better user experience with the goal of converting users into patients (or vice versa). Website data analytics and advertising tools built for direct-to-consumer (DTC) non-health care e-commerce are now used by health-care companies.
This has made drawing the line between the non-health care data of the “user” versus protected health information (PHI) of the “patient” particularly tricky when the same person is simultaneously a user of a technology company and a patient of the company’s affiliated medical group.
To improve the user experience, this new wave of health tech companies rely on data collected from users and subsequently shared with data analytics and advertising services to gain insights into user behavior. Some companies go so far as to retarget the user with advertising if the user leaves the website without booking a telemedicine appointment. These types of data disclosures implicate the HIPAA Privacy Rule for HIPAA-regulated health-care providers and their vendors.
A Patient Scenario Demonstrates Privacy Issues
For example, consider a patient who visits his provider’s telemedicine website, seeking information related to diabetes. The provider’s goal may be to convert the patient’s curiosity about diabetes into a telemedicine appointment. Then suppose the patient browses the information online but does not schedule an appointment. The provider has a contract with a data analytics vendor, where that patient’s browsing data, IP address, and other unique identifiers are shared and analyzed by the vendor to generate insight on potential reasons why this patient did not schedule an appointment. Moreover, the patient’s “cart abandonment” might trigger an automated call to action (e.g., an email or text message prompting the patient to complete his checkout and book an appointment).
These are otherwise basic DTC e-commerce tactics that become significantly thorny when used in the health-care industry. Under HIPAA, IP address and any unique identifiers are included in the 18 data elements identified by HIPAA as PHI. To disclose PHI to a third party, like a data analytics vendor, there must be a proper business associate agreement between the vendor and telemedicine platform provider or health-care provider, and patient consent must be obtained depending on the situation.
Many of the most widely-used data analytics vendors in e-commerce will not sign a business associate agreement and some go as far as mandating that any organizations regulated by HIPAA not share PHI.
So the question for the company in this example is, can this disclosure of PHI be structured in compliance with the HIPAA Privacy Rule and, if so, how to do so while maintaining a delightful user experience? These types of data disclosures and marketing practices are guaranteed to draw the attention of both HHS OCR and the Federal Trade Commission over the next few years.
VIDEO: Millions of Americans have taken advantage of telehealth during the coronavirus pandemic, so why has it taken so long for widespread adoption?
Get Ready for the End of Waivers
The PHE and its associated waivers, including for privacy and security violations, will end. Telemedicine companies should develop a strategy now for how they will operate after the waivers end.
Below are five concrete steps telemedicine and digital health companies can take now to best position themselves for robust and compliant operations:
- Conduct, under attorney-client privilege, a risk assessment of health data maintained and transmitted by the organization.
- Conduct third-party diligence on all vendors who maintain PHI, including telemedicine platform, data analytics, and electronic health record vendors.
- Review the data collection practices of the company’s website and app, then determine whether the practices comply with HIPAA and state law.
- If the company has data vendors that refuse to sign a business associate agreement, consider alternative vendors willing to do so.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owner.
Aaron Maguregui is special counsel at Foley & Lardner and a member of the firm’s Privacy, Security & Information Management practice and national Telemedicine & Digital Health Industry Team. Based in Tampa, he advises innovative health-care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters.
Nathaniel (Nate) Lacktman is a partner and chair of Foley & Lardner’s national Telemedicine & Digital Health Industry Team. Based in Tampa, he advises entrepreneurial health-care providers and technology companies on business arrangements, compliance, and corporate matters, with particular attention to telehealth, digital health, and health innovation.