Law in the Internet Society

View   r3  >  r2  ...
KatharinaRogoschSecondEssay 3 - 16 Jan 2022 - Main.KatharinaRogosch
Line: 1 to 1
 
META TOPICPARENT name="SecondEssay"
Line: 7 to 7
 -- By KatharinaRogosch - 08 Dec 2021

Changed:
<
<
Since the start of the Covid-19 pandemic, healthcare has moved from in-person appointments to the provision of services through telehealth consultations. Telehealth services use telecommunications and information technology to provide access to health assessment, diagnosis, intervention, consultation, supervision, and information across distance. This means that telehealth encompasses both electronic and telecommunication technologies to support health care delivery, for both preventative and administrative activities. Telehealth services also use electronic health records and health information exchanges, targeting these primarily towards patients who otherwise could not obtain medical care, such as those who live in distant rural settings, the elderly, and high-risk patients.
>
>
Since the start of the Covid-19 pandemic, the provision of healthcare has moved from in-person appointments to a greater use of telemedicine services. Telehealth services use telecommunications and information technology to provide access to health assessment, diagnosis, intervention, consultation, supervision and information across distance.
 
Changed:
<
<

Regulation of telehealth services and Covid-19

>
>

HIPAA Regulations

 
Changed:
<
<
While telehealth services have been gaining popularity in the last couple of years, during the onset of the Covid-19 pandemic, both the Centres for Medicare and Medicaid Services (CMS) and the US Department of Health and Human Services (HHS) took unprecedented action to expand telehealth. This expansion was two-fold; first, by CMS’s waiver to Medicare program requirements allowing all beneficiaries to receive telehealth in any location, including their homes, and secondly, through the HHS relaxing the standards that apply to technologies that “include video-conferring, the internet, streaming media, and wireless communications” underlining that healthcare providers may use technologies that “may not fully comply with the requirements of the HIPAA privacy rules” if the provider makes a good faith effort to keep patient data private. It is this second expansion of telemedicine that is the focus of this paper.
>
>
The Health Insurance Portability and Accountability Act (“HIPAA”) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA regulations are especially pertinent for telehealth services as they use patients’ electronic protected health information (“ePHI”) over electronic communications networks. Consequently, telehealth providers must ensure that:
  1. Only authorized users have access to ePHI
  2. A system of secure communication is implemented to protect the integrity of ePHI
  3. A system of monitoring communications containing ePHI is implemented to prevent accidental or malicious breaches

While the focus of the HIPAA regulation is on the security of ePHI, the standard used to secure communications is encryption. This means that if telehealth communications are conducted over email or text, these messages must be encrypted. Technically, a phone call conversation between a healthcare provider and a patient will satisfy the HIPAA rules, but the sharing of any further communications through any other means than a phone call will not. For example, if the healthcare provider shares any follow-up information after the phone call that contains ePHI via unencrypted email or text messages, this violates the HIPAA rules. The main aim of the HIPAA regulations is on ensuring that any ePHI that is shared before and after the telehealth appointment is done through an encrypted platform. Consequently, it comes as no surprise that a majority of telemedicine services were provided through hospital-designed platforms.

 
Deleted:
<
<
One important aspect of the broadening of telemedicine services by the HHS and CMS waivers is that these services are no longer limited to telemedicine platforms designed by healthcare providers themselves. As part of HHS’s Notification of Enforcement Discretion, telemedicine services can now be provided on acceptable service vendors that use non-public facing platforms such as FaceTime? , Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype.
 

Changed:
<
<

Doximity and implications for the future of telehealth services

>
>

Impact of the Covid-19 pandemic on HIPAA privacy standards

 
Changed:
<
<
Doximity is a professional medical network for U.S. healthcare professionals as part of which more than 80% of US doctors and 50% of nurse practitioners and physician assistants are members. Doximity functions as a separate application as part of which physicians can “securely” connect and collaborate with other healthcare professionals about patient treatment and patient referrals. Doximity is unique because it also acts as a telemedicine provider (through Doximity Dialer and Video), however, the way it addresses physicians’ privacy and security makes it an interesting case study for the interactions between telehealth, the Covid-19 pandemic, and privacy.

There are two features of Doximity’s application that make it a unique telemedicine provider: Doximity Dialer and Video, which is a feature on the company’s mobile application that allows physicians to call patients using cell phones while displaying any phone number of choice on the patients caller-ID, and secondly, the fact that Doximity Dialer is HIPAA secure platform that facilitates encrypted communications with patients. Unlike the majority of telemedicine providers, Doximity developed video-call capabilities as part of their own application and made these HIPAA-complaint in a time when HIPAA compliance has been waived by the HHS.

>
>
During the onset of the Covid-19 pandemic, both the Centers for Medicare and Medicaid Services (CMS) and the US Department of Health and Human Services (“HHS”) took unprecedented action to expand telehealth. One important aspect of the broadening of telemedicine services is that these services are no longer limited to telemedicine platforms designed by healthcare providers themselves. Telemedicine services during the pandemic can be provided on acceptable service vendors that use non-public facing platforms such as FaceTime? , Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype.
 
Changed:
<
<
The case of Doximity Dialer and Video lends itself to the broader analysis and implications of how the relaxation of the standards regulating telemedicine impact the privacy of patient data discussed, collected, and relayed on these applications. Pre-pandemic the use of telemedicine services was limited both by geographic area (i.e. available only to some Medicare and Medicaid recipients that lived in rural areas) and by how these services were provided (through specific hospital-designed platforms such as Northwell Health’s own telehealth service). This meant that the data collected and exchanged as part of telehealth visits was retained on these platforms, and as per HIPAA’s Privacy Rule contained audit controls that allowed system administers to record and follow audit trials whenever protected health information was created, modified, accessed, shared, or deleted.
>
>
While the move to allow the provision of telehealth services through easily accessible communications platforms was to ensure easy access to medical services during the pandemic, this opening-up of telemedicine has resulted in additional complications about the security of telehealth services. For example, before the pandemic, the focus was on ensuring that pre-and post- telehealth appointment communication was encrypted so as not to share any ePHI. However, using services such as Zoom during the pandemic has raised concerns about the recording of the actual telehealth appointments and the sharing of ePHI discussed during these.
 
Changed:
<
<
The pre-pandemic provision of telehealth services must be heavily contrasted with the current situation, where a balancing exercise occurs between privacy and the pandemic risks of seeing medical personnel in person. The HHS opening-up of telemedicine calls through platforms such as FaceTime? , Facebook Messenger, Zoom, Google Hangouts, and Skype exposes individuals and their private medical data. For example, with over 200 million users, Zoom is the most popular video application but still faces cybersecurity challenges with “zoombombing”, a term used when calls are infiltrated by hackers. Concerns about the HIPAA compliance of Zoom were even expressed as early as March 2020, with one commentator underlining that “there are not serious concerns about the security of Zoom” and that “this creates doubts about using Zoom for communicating medical information, which needs to be fully protected”. If worries have been raised about the provision of telemedicine appointments through the Zoom platform have been raised, it is even more worrisome that these online medical appointments can be handled through Facebook Messenger as well.
>
>
The HHS opening-up of telemedicine calls through platforms such as FaceTime? and Facebook Messenger exposes individuals and their private medical data. For example, with over 200 million users, Zoom is the most popular video application but still faces cybersecurity challenges with “zoombombing”, a term used when calls are infiltrated by hackers. Concerns about the HIPAA compliance of Zoom were even expressed as early as March 2020, with one commentator underlining that “there are serious concerns about the security of Zoom” and that “this creates doubts about using Zoom for communicating medical information, which needs to be fully protected”. If worries have been raised about the provision of telemedicine appointments through the Zoom platform, it is even more concerning that these online medical appointments can be handled through Facebook Messenger as well.
 
Deleted:
<
<
If the platforms through which telemedicine services can now be provided are not secure, do not protect patients’ data, and are riddled with cybersecurity risks, the question is what future is there for telehealth? Are the Doximity Dialer and Video a better standard for the protection of individual data? While this essay has heralded the design of the Doximity application, namely for its HIPAA compliance and ability to protect the physician’s privacy, the design of the application targets physicians and not patients. This means that the focus is on ensuring that physicians are not harmed by direct contact with patients, and the protection afforded to the patient using the platform happens to be a positive consequence of this design. At the end of the day, the Doximity Dialer still retains patient information, however, in comparison to applications such as Facebook Messenger and Zoom, individual patients can view the data that is collected on the application and remove it. This creates a dilemma this essay was hoping to explore, namely, that how to balance individual privacy with increased access to telemedicine during the Covid-19 pandemic.
 
Changed:
<
<
This draft uses too many words on irrelevant details, but it clarifies the issues. In order to discuss this intelligently, we need to know two things: what do the HIPAA regulations require, and what is technically required to satisfy them?
>
>

Doxity and Telehealth services

Doximity is a professional medical network for U.S. healthcare professionals as part of which more than 80% of US doctors and 50% of nurse practitioners and physician assistants are members. Doximity functions as a separate application as part of which physicians can “securely” connect and collaborate with other healthcare professionals about patient treatment and patient referrals. Doximity is unique because it also acts as a telemedicine provider (through Doximity Dialer and Video), however, the way it addresses physicians’ privacy and security makes it an interesting case study for the interactions between telemedicine, the Covid-19 pandemic, and privacy.

 
Changed:
<
<
As to the first, we have nothing yet, and that's what the next draft has to contain. We can begin with a simpler model of telemedicine: the phone call. What does a phone system have to do, and what constraints does it have in doing them, in order for a doctor-patient consultation conducted over it to be HIPAA-compliant? Considering the use of short-wave radio telephony in Alaska, I doubt that even the most insecure Videoconferencing Bullshit System (let's call that Zoom for short) violates regs with which that complies.
>
>
There are two features of Doximity’s application that make it a unique telemedicine provider: Doximity Dialer and Video, which is a feature on the company’s mobile application that allows physicians to call patients using cell phones while displaying any phone number of choice on the patients called ID, and secondly, the fact that Doximity Dialer is HIPAA secure platform that facilitates encrypted communications with patients. Unlike the majority of telemedicine providers, Doximity developed video-call capabilities as part of their own application and made these HIPAA-complaint in a time when HIPAA compliance has been waived by the HHS. Even though Doximity’s secure video-call capabilities make it stand out from other telemedicine providers that instead use services such as Zoom, this is not what makes Doximity special. Instead, it is the combination of both a secure communications platform and video-conferencing capacities that protect patients’ ePHI before, during, and after the telehealth appointment.
 
Changed:
<
<
But whatever the answers may be, modulo whatever degree of legal uncertainty, we have then, second, a fairly simple question of technical design to answer. The analysis will inevitably be made more difficult by the need to cut back the overgrown other bullshit, namely the propaganda of the proprietary medical software companies, which do everything they can, very successfully and with the assistance of the rest of US for-profit medicine, to prevent the development of simple, free, standard and mutually-compatible solutions to medtech infrastructures.
>
>
 
Changed:
<
<
In this instance, we can say a few things at the outset. First, the secrity of the patient's endpoint can never be assured. Therefore the secrecy of communication is inherently unknowable, but this—like most real world problems—lies outside the scope of the regulations, which necessarily cannot prevent patients' disclosures.
>
>

Conclusion

 
Changed:
<
<
Second, the achievement of secure video conferencing of which no recording is made in the course of the service, requiring no more than a browser, camera and microphone at the patient's end, no matter in what sort of device, is trivial. A tiny Jitsi Meet instance, like the one I use for office hours, needs a server no bigger than a Raspberry Pi and meets those technical requirements. Secure, federated videoconferencing using dirt-cheap tiny servers and ordinary consumer laptops, tablets, and smartassphones is available to everyone everywhere right now, just not through the platforms. So we must understand the regulations and ignore the medtech marketing propaganda in order to understand whether there is a problem.
>
>
 
Added:
>
>
While this essay has heralded the design of the Doximity application, namely for its HIPAA compliance and ability to protect the physician’s privacy, the design of the application targets physicians and not patients. This means that the focus is on ensuring that physicians are not harmed by direct contract with patients, and the protection afforded to the patient using the platform happens to be a positive consequence of this design. The Doximity Dialer still retains patient information; however, in comparison to applications such as Facebook Messenger and Zoom, individual patients can view the data that is collected on the application and remove it. This creates a dilemma this essay was hoping to explore, namely, that how to balance individual privacy with increased access to telemedicine during the Covid-19 pandemic.
 
Added:
>
>
 
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.

Revision 3r3 - 16 Jan 2022 - 23:53:00 - KatharinaRogosch
Revision 2r2 - 07 Jan 2022 - 18:42:47 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM