US health department won’t penalise breaches during covid-19 crisis

The US Department of Health and Human Services will not enforce against healthcare providers that suffer a data breach while using telemedicine in “good faith” during the covid-19 pandemic, according to guidance released by the HHS Office for Civil Rights.

HHS Office for Civil Rights (OCR) guidance published last week said it will “exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the covid-19 nationwide public health emergency”.

The OCR released the guidance following US President Donald Trump’s announcement last week that his administration was suspending HIPAA rules to encourage the use of telemedicine.

Trump’s move has been met with a positive reception from many in the healthcare industry, but some are concerned that a lack of guidance on how to administer telemedicine may lead to patient harm if their records are exposed.

“We understand a pandemic is going on and we want patients to have access to the care they need … [but] we all need to be careful to use the most secure method possible to make sure patients get what they need and not be exposed to the negative consequences of a data breach,” said Deborah Reid, the senior health policy attorney at the Legal Action Center, a non-profit organisation that advocates for people with substance use disorders, HIV or AIDS, or criminal histories.

Reid told GDR that the OCR’s guidance provides little commentary on what constitutes a “good faith” provision of telemedicine.

The guidance does, however, give examples of what a “bad faith” use of telemedicine would look like: using telemedicine for an intentional invasion of privacy, selling data, or violating professional ethical standards. HHS said providers should not use Facebook Live, Twitch, TikTok, or other applications that are not private.

But some of the HHS-approved platforms are more secure than others. WhatsApp chat videos, for example, use end-to-end encryption, but Facebook Messenger does not. Facebook also stores communications made on its messenger app, so presumably the company would have access to communications made between doctors and patients.

Reid said she could not speak specifically to Facebook or other apps, but that she is wary about any apps that pose privacy or cybersecurity vulnerabilities.

“I’d hope a provider would use something more secure,” she said.

Even though HIPAA rules may be suspended, healthcare providers may still be liable under state regulations, licensing agreements, or other cybersecurity laws, added Reid’s colleague, LAC staff attorney Jaqueline Seitz.

“There is possibly a private right of action under state common law,” she said.

Seitz emphasized that maintaining data privacy and security is crucial – even in the midst of a pandemic – because breaches can have permanent consequences for patients being treated for conditions with negative societal stigmas. Patients with substance use disorders can lose employment, child custody, and suffer other negative repercussions if their records are exposed, she said.

“LAC advocates for patient privacy because the harm from a privacy breach is everlasting for patients. Once the information is out there, there can be devastating consequences,” she said. “It’s a very serious issue, given that breaches of health information keep going up and up and up.”

Unlock unlimited access to all Global Data Review content