Legislative efforts aim to address privacy concerns amid COVID-19
Since the start of the COVID-19 pandemic, privacy laws and regulations have been loosened to accommodate increased telehealth services and avoid in-office visits.
For instance, CMS announced that smartphone apps and platforms that would not typically be permitted under HIPAA regulations would be allowed for use during telehealth visits, and that telehealth visits would be reimbursed at the same rate as in-office visits for many services.
These and other efforts have led to a rapid increase in telehealth utilization among primary care physicians. In a recent survey conducted by the Primary Care Collaborative and the Larry H. Green Center, 60% of PCPs reported that they were experiencing an all-time high of non-face-to-face patient contact.
However, the increased use of telehealth services and other efforts with reduced or limited privacy laws, such as contact tracing, has led to concerns regarding privacy breaches.
Data privacy breaches
Most data breaches in health care involve the loss of financial and demographic information, John X. Jiang, PhD, professor and Plante Moran Faculty Fellow in the department of accounting and information systems at Michigan State University’s Eli Broad College of Business, told Healio Primary Care.
“The most harm of data breaches in health care is the loss of sensitive financial information — such as credit card or bank account — and identifying information — such as driver’s license numbers, or social security numbers — which can be exploited for identity theft or financial fraud,” he said.
The recent increase in time spent on diagnosis through telehealth does not necessarily increase the risk for these types of data breaches, he added.
Previously, experts noted that while large contact tracing efforts via smartphones — such as those being made by Apple and Google — should be used to aid public health efforts, it is important to ensure the privacy of users and data security.
Jiang said there have been concerns that people’s data could be sold or breached after being used in contact tracing apps, but the benefits of these efforts may outweigh the risks.
“A lot of private entities such as credit card companies, Amazon, Google, Facebook, Twitter and phone companies already know a lot about our habits and locations,” Jiang said. “If contact tracing is used for a higher purpose such as my health and my community’s safety, the risk of privacy breaches is bearable.”
Research conducted by Jiang and Ge Bai, PhD, CPA, associate professor of accounting and health policy and management at Johns Hopkins University, and published in JAMA Internal Medicine, showed that 53% of data breaches of protected health information occurred internally in practices. These breaches were attributed to neglect or mistakes made by the health care entity itself.
They found that of the breaches included in their study, 46.1% were in mobile devices, 28.7% were in paper records, and 29.3% were in network servers, with some breaches occurring in multiple locations.
To combat these types of breaches, Jiang and Bai recommended common corrective actions such as encrypting and restricting use of mobile devices when protective health information was stored on them, digitizing protective health information and scaling up the safety of facilities where paper records are kept. Additionally, they recommended that monitoring or even auditing access to network servers on the cloud and strengthening their firewalls are another way to combat data breaches.
To address physicians’ concerns about data privacy while working from home, the AMA released a guide to help physicians keep their home office environment safe from cyber threats.
The AMA advised physicians to watch for email phishing scams and ransomware on their personal computers and to consider using a virtual private network to provide them with the ability to securely connect to their office’s practice management system, patient records and anything else stored in the electronic health record. If physicians decide to use VPNs, the AMA asked them to consider taking steps to ensure privacy, including the use of authentication and lockout measures, limiting remote access to only necessary databases and systems within the office, and to keep the VPN and other cloud-based services up to date.
When using a smartphone or tablet, the AMA provided physicians with a list of ways to help protect against cyber-attacks, including having a strong home Wi-Fi password, using multifactor authentication whenever possible, enabling lockout features and installing anti-virus software.
When using EHR and telemedicine apps, the AMA suggested physicians talk to their EHR vendor to check that they are using the right app for their environment, review the federal government’s list of recommended telemedicine apps and services, and enable all encryption and privacy modes that are available in a their telemedicine app.
Multiple legislative efforts have been made to address privacy concerns amid the COVID-19 pandemic.
The COVID-19 Consumer Data Protection Act, introduced April, was created to provide people in the United States with increased transparency, choice and control over how their personal health and other data information is used. In addition, the bill would make businesses accountable to their consumers if they use personal data for COVID-19 contact tracing efforts.
“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important,” Sen. John Thune of South Dakota, one of the senators who introduced the bill, said in a press release. “This bill strikes the right balance between innovation — allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread — and maintaining privacy protections for U.S. citizens.”
The Public Health Emergency Privacy Act was also introduced to ensure that data collected for public health efforts would only be used for those efforts, would prohibit the use of collected health data for discriminatory or unrelated purposes, require data security and integrity protection and require tech firms to delete data after the public health emergency.
Another legislative effort that was introduced known as the Coronavirus Containment Corps Act would require the CDC to develop a national contact tracing strategy that includes plans to prevent the misuse of individuals’ data by ensuring automatic deletion of data, data anonymization and security, and prohibiting data sharing with government entities other than the CDC and Indian Health Service.
“Our legislation will massively expand our health care workforce to trace and prevent COVID-19, make sure states and localities have the support they need, and provide robust privacy protections to ensure Americans' personal data and health information is protected,” Sen. Elizabeth Warren, one of the lawmakers who introduced the legislation, said in a press release. “It is critical to stopping the virus dead in its tracks, keeping our communities healthy, and getting our economy up and running.”
- AMA. Working from home during COVID-19 pandemic. https://www.ama-assn.org/system/files/2020-04/cybersecurity-work-from-home-covid-19.pdf. Accessed July 9, 2020.
- HHS. Notification of enforcement discretion for telehealth remote communications during the COVID-19 nationwide public health emergency. https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html. Accessed July 8, 2020.
- Jiang X, et al. Ann Intern Med. 2019:doi:10.7326/M19-1759.
- Jiang X, et al. JAMA Intern Med. 2018;doi:10.1001/jamainternmed.2018.5295.
- Senate.gov. Combatting COVID while protecting privacy: The Public Health Emergency Privacy Act (PHEPA). https://www.bennet.senate.gov/public/_cache/files/e/f/eff19960-ab72-42df-b49f-7e3dbe66c75a/87421A2A334F7DD17EE87A9F75AFA39F.public-health-emergency-privacy-act---one-pager.pdf. Accessed July 9, 2020.
- Senate.gov. Committee Leaders Introduce Data Privacy Bill. https://www.commerce.senate.gov/2020/5/committee-leaders-introduce-data-privacy-bill. Accessed July 8, 2020.
- Senate.gov. The Coronavirus Containment Corps Act. https://www.warren.senate.gov/imo/media/doc/One%20Pager-Coronavirus%20Containment%20Act1.pdf. Accessed July 8, 2020.
- Senate.gov. Warren, Levin, Merkley, Smith introduce legislation for a national contact tracing program. https://www.warren.senate.gov/newsroom/press-releases/warren-levin-merkley-smith-introduce-legislation-for-a-national-contact-tracing-program. Accessed July 8, 2020.