The pandemic might have changed the way healthcare is delivered forever. McKinsey Research in 2021 said telehealth use had increased to 38 times the pre-Covid baseline. “The first days and weeks alone saw an unbelievably rapid transformation of healthcare delivery,” said Ash Thornley-Davies, Healthcare Account Executive at technology giant Zoom. “This rapid change didn’t just alter the way hospitals and clinics operated; it shifted the way the world thought about healthcare delivery.” Great Ormond Street Hospital (GOSH) deployed video-visit capabilities and integrated Zoom into its Electronic Patient Record (EPR) system in just eight days, ahead of the first lockdown on 23 March 2020, he said.

Not only is the app now used by many of the largest hospitals in the US, but it’s also a white label function. “We’re seeing more and more primary care providers exploring this as a way to offer virtual consultations,” said Zoom’s Thornley-Davies.

Data protection is a key question

Rules on how data is exchanged and protected within telehealth interactions is now of growing concern. Laws are changing too, with countries such as India debating how to legislate on data privacy. Generally speaking, data protection rules cover everything from recordings of conversations between doctors and patients, to processing identifiable data and handling healthcare information.

Brandon M. Welch, CEO of Doxy.me, which provides a telehealth platform for health systems to bring doctors and patients together, summarised how data protection laws broadly work. “If it’s not your data, you’ve got to protect it and don’t disclose it,” he explained. Specific requirements, such as what is classed as information and what isn’t and where permissions are required may differ. “But generally, if I can see and identify you, it needs to be protected,” he added.

Telehealth provider Babylon Health noted in this year’s filings to the US Securities and Exchange Commission that transgressing the laws can result in dire consequences, and not just for the patient. Legal claims or proceedings, liability under laws and regulations that protect the privacy of member information and regulatory fines or penalties can be hefty. In the UK alone, fines of up to €20 million (£17.5 million), or up to four per cent of the annual global revenue of a noncompliant company – whichever is greater – can be imposed for certain violations.

Rigorous encryption standards

Providers contacted by ITIJ said they are fully compliant with the data protection rules of each of the jurisdictions they operate in, and that privacy is a core value. That means enabling good levels of encryption so data cannot be hacked, then checking the rigour of the systems regularly. HealthTap, which offers Virtual Primary Care Clinics in the US, carries out an external audit every year, certifying that all the controls designed to manage the system are working as expected. These include how the data is communicated and stored, as well as who can access it. “We treat all user data as a trust that users have put in our hands,” said Hammad Saleem, Chief Technology Officer of HealthTap. “Each of these are secured by multiple layers of protection and verified by our auditors. And when it comes to protected/personal health information (PHI), including doctor notes, communications, medications and lab tests, we protect that with an even higher level of access control.”

In the rush to meet the demand for telemedicine during the pandemic, some resorted to non-secure or limited security channels of communication

Interestingly, Saleem said not all providers do this. In the rush to meet the demand for telemedicine during the pandemic, some resorted to non-secure or limited security channels of communication. They may use standard text messaging or messaging apps without encryption or user-access protections, or unauthenticated video messaging and email – with recordings stored on the cloud. “This helps bring healthcare to people with the devices and technologies they are using, but also poses a threat to patient privacy,” he said. “The industry should work to make it easier for doctors to use secure channels that are as user-friendly as the most commonplace, consumer-optimised apps.”

Doxy.me protects patient data by never encountering it in the first place. No calls are recorded, so once an interaction between a patient and doctor has finished, it is lost forever. Patient records are not stored on any server owned by Doxy.me. These are on separate existing EHR systems and, therefore, are the responsibility of the health providers that use the service. When he built the app, Welch saw many other telemedicine applications that required patients to log in and create accounts, which would be stored. “To store this data, you must have all these additional security protections. You’ve got to have encryption, for example,” he explained.

Instead, a patient who requires an appointment through Doxy.me receives a link to what’s called the provider’s room, which they click. No private information is required until a patient is face-to-face with their doctor. “They click [the link] and the patient log checks in,” he said, likening the process to turning up at the doctor’s surgery reception desk. “But when the patient shows up, they say ‘hey, I’m Jim’, and show their ID and that’s the person’s verification.”

This system, called peer-to-peer, means the need for encryption and security protections and servers is circumvented. “We know patients check in at certain time, but we don’t know anything about them. They’re just a number and we can’t identify who they are,” he said.

Devil is in the detail

For providers that don’t take advantage of this peer-to-peer transient data, but do store it, a range of laws apply. In the US, the Health Insurance Portability and Accountability Act (HIPAA) states that health information should be protected, whether collected for purposes of individual care or epidemiology and public health. The General Data Protection Regulation (EU GDPR) applies across the EU, and a UK GDPR is slightly different from the EU version. The UK has a separate data protection act and other rules to interact with NHS systems.

There are differences in the fine detail of such laws, with some countries stricter than others.

To comply with specifically strong measures, such as the GDPR in Europe, Zoom uses encryption technology

For example, Welch says that HIPAA has clearly defined 18 types of information it considers to be identifiable. “It is very descriptive – it says these have to be encrypted and protected and boom, we’re good,” he said. GDPR, in contrast, is seen as stricter and trickier because it applies to anything that’s personally identifiable. Except, it’s not always clear what is identifiable. He asks whether an IP address is classed as identifiable, for example. “The issue is not knowing if we are doing it right. Are we going to be fined?” he added. “So, it’s more of that uncertainty that gives a lot of people heartburn.”

To comply with specifically strong measures, such as the GDPR in Europe, Zoom uses encryption technology – including optional end-to-end encryption for meetings and numerous safeguards to prevent unauthorised people joining meetings. “This includes waiting rooms which only allow people from a certain organisation, to a ‘Lock Meeting’ function which prevents anyone else joining,” said Thornley-Davies. “Customers can choose where video recordings, chats and files are processed, and the data storage location for their content to rest.”

Canadian rules require even transient data from Doxy.me to remain on the servers within the country, he said. “Data can’t leave Canada and come back to the US and go back. Well, we have servers like all over the place, all over the world. So, data is bouncing all over,” he said. “We had to rebuild the application just for Canada.”

HIPAA privacy and security

Laws are changing, often becoming stricter. In March 2020, at the beginning of the pandemic, the US Department for Health and Human Services (HHS) relaxed the enforcement of HIPAA privacy and security safeguards. Video apps such as Apple’s FaceTime, Facebook’s Messenger or Google Hangouts could be used to chat with patients, without first getting a business associate’s agreement (something usually required under the HIPAA Privacy Rule – they must still protect PHI, according to HIPAA’s Security Rule).

But now that the pandemic is declining in the US, the waiver is expected to be removed.

Kyle Zebley, Senior Vice President for Public Policy at industry body the American Telemedicine Association (ATA), said the telehealth community is broadly supportive of HIPAA coming back into full effect, although they need to know when, to have time to comply. “Telehealth organisations and our members are almost all uniformly already complying with HIPAA, even with the waiver, and those few that are not, are fully prepared to do so once it comes back into effect,” he said.

Zoom does not see the lifting of the HIPAA waiver as a significant obstacle to the adoption and retention of telehealth. It has a paid-for specialised app, Zoom for Healthcare, which complies with HIPAA. “Zoom for Healthcare ensures that PHI covered under HIPAA is protected via technical and physical safeguards to comply with the law,” Thornley-Davies added. “Users in small practices can simply tick a box to accept a Business Associate Agreement (BAA) and Enable HIPAA Compliance.” A BAA is a contract that protects PHI in accordance with HIPAA guidelines.

According to HealthTap, many privacy regulations seek to strike a balance between managing consumer expectations and rights with company obligations not to engage in behaviour or practices that consumers would find shocking, offensive or concerning (such as selling health data, or disclosing health information without permission). Because HealthTap was developed to be HIPAA-compliant prior to the pandemic, the company did not benefit directly from the ‘relaxed enforcement’ regime that exists today. “We hope that in a post-pandemic era, regulations will be right-sized to facilitate greater virtual care, while still respecting consumer rights and concerns regarding their privacy,” said Saleem. 

“Data protection rules that emphasise consent and protections against unauthorised malicious use or sale of data are critical,” he added. “These rules should similarly balance and simplify the ability of healthcare providers to share and provide information with end users and among healthcare providers.” Saleem said greater and simpler interoperability between medical record providers and increased ease of exporting and owning data by patients should also be a goal.

Yet more regulation beyond HIPAA may be on the horizon. The California Privacy Rights Act (CPRA) imposes new state-specific privacy rules from January 2023. Similar laws have passed in Virginia and Colorado and been proposed in other states too, said Babylon Health. This is one of the great concerns of ATA members. “It becomes very frustrating for companies trying to navigate how to deliver healthcare to patients and citizens in all 50 states,” said Zebley. “They’ve already gone through the battle last decade, trying to comply with GDPR, and they don’t want that again, on a state-by-state basis.”