Health care providers using (or considering) teleconferencing software Zoom, heed this important warning: serious security, privacy, and data protection issues reportedly plague the product, leading several public and private entities to discontinue use.
During the COVID-19 crisis, federal and state agencies encouraged provider flexibility for the sake of continuing care. The US Department of Health and Human Services (HHS) made special HIPAA penalty exemptions for providers who, in good faith, turn to telehealth services. California’s Division of Workers’ Comp (DWC) has broadly encouraged telehealth as a means of remotely treating injured workers.
But as providers adopt new tools to enable remote treatment, cybersecurity and privacy warrants careful consideration.
It seems appropriate that “zoom” is an onomatopoeia for something rollercoasters do.
As the threat of coronavirus forced countless professionals to work exclusively online, Zoom saw astonishing growth almost literally overnight. But all that new business exposed significant gaps in the platform’s defenses against cyberthreats, leading to headlines like the Guardian’s “‘Zoom Is Malware’.”
Zoom users have experienced a range of privacy violations, including:
Soon enough, entities from public school districts to national governments decided the risks associated with using Zoom were too great, and terminated use. Zoom founder and CEO Eric S. Yuan offered an explanation and promised to do better while encouraging remaining users to utilize the software’s existing security measures.
While the US Health and Human Services Office for Civil Rights (OCR) is waiving HIPAA violation penalties against providers “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
For telehealth purposes, providers should consider using only the known popular applications recommended in the OCR notice: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. Providers should also enable all available encryption and privacy modes when using such applications. We also encourage providers to notify patients that these third-party applications potentially introduce privacy risks.
As California’s Division of Workers’ Compensation (DWC) promotes “creative solutions” for continuing care to injured workers, including telehealth services, providers must carefully weigh their options regarding appropriate software tools. Telehealth cybersecurity is a new, but crucial, consideration during the current COVID-19 crisis.
The California DWC broadly encouraged providers to utilize telehealth services in their March 19 Newsline. In a March 28 followup, the DWC defined the technological requirements of a billable telehealth visit:
Any remote visit in which provider and patient can see — and not just hear — each other fulfills DWC standards. As providers consider the confidentiality of medical services and take the necessary steps to protect the privacy of both parties, a wide range of options that meet DWC standards is available. We strongly encourage providers to devote some time to thoroughly research those tools.
No software is impervious to malicious online actors, but providers should consider the security reputation of any platform used to treat injured workers remotely.
For more on telehealth rules for Medicare, California health insurers, and California workers’ compensation, look through the free resources available on our COVID-10 page.
DaisyBill provides content as an insightful service to its readers and clients. It does not offer legal advice and cannot guarantee the accuracy or suitability of its content for a particular purpose.