The Kaiser Family Foundation conducted a poll in the beginning of March showing that a third of their respondents said that the coronavirus (COVID-19) outbreak had a minor or major negative impact on their mental health. That proportion jumped up to nearly half (45%) when they conducted the poll again between March 25th to the 30th. In response, the HHS has relaxed telemedicine and telemental health restrictions so more individuals and families can get access to care safely. This is an important and necessary measure to increase access to care but with the recent Zoom privacy debacle (e.g., NPR; CNBC), I couldn’t help but wonder what this means for the privacy of patients and therapists, or any one of us who has used or currently uses video conferencing software to speak with a doctor, socialize, or work. After researching different options, I found that you don’t have to compromise your privacy or security and I shared a list of secure and unsecure options below.
Quick background on HIPAA for
First, here’s quick primer on HIPAA, which got me thinking about this topic in the first place.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The legislation essentially requires that all healthcare practitioners and administrators must protect our Protected Health Information (PHI) through a secure system that ensures that only authorized individuals can access our data. This is true whether the information is on paper or in a computer system, including any information transmitted over the internet like video conferences. You can read more about HIPAA through the HHS website.
Quick non-technical explanation of video conferencing software in relation to HIPAA
Prior to the coronavirus pandemic, HIPAA restrictions meant that telehealth practitioners had to use video communication systems that incorporate end-to-end encryption (E2EE) for video and audio to be HIPAA compliant. I’m going to oversimplify this here but that essentially means that when our computers are transmitting the audio and video from our meetings to someone else’s computer, the data needs to be scrambled so that only meeting participants can access and unscramble the audio and video content in a meaningful way (using keys). The details are a bit more complicated though because there are different ways to encrypt this data, which can be confusing if you don’t look into the details. For example, in the case of Zoom, the company does use encryption, but they use a type of encryption (transport encryption rather than E2EE) that enables Zoom to access the audio and video content of the meetings that it hosts. With E2EE, Zoom would not be able to access this content.
There are apps and software out there that offer or use E2EE (and have been consistently transparent about whether they use E2EE or not). Here is a list of some that I found:
Video conferencing software that DOES use E2:
* indicates that it is free or there is a free version available.
- Skype business
- Microsoft Teams
- Google Duo*
- Amazon Chime
- Spruce health
- WhatsApp* —
- It’s also worth noting that Facebook, the parent company of WhatsApp, was not transparent about data collection in the recent past. So maybe consider a different app if you’re concerned about protecting your and others’ privacy…
–Some of these are only free during the pandemic and will begin charging once distancing measures are lifted.–
Video conferencing software that DO NOT use E2EE:
The following video communication apps also do not use E2EE and are public facing so they should never be used for telehealth:
- Facebook Live
None of these companies can guarantee that your PHI or any information that you disclose over video conferencing will be 100% safe. There will always be the risk from hackers, for example, that can jeopardize your security and privacy. If you’re using video conferencing professionally, it’s important to disclose this risk. If you’re a health care practitioner, I especially hope that you will consider using software that protects the privacy of your patients. There are free options available, so there really is no excuse for using a less secure option.