A Digital Checkup on HIPAA: Modernizing Healthcare Privacy Standards for Telehealth Services.

• Author: Wells, Julia

TABLE OF CONTENTS I. INTRODUCTION 229 II. BACKGROUND 230 A. Overview of Telehealth Services 230 1. Definition and Expansion of "Telehealth Services" 230 2. Agency Regulation and Oversight of Telehealth Services 231 B. Health Insurance Portability and Accountability Act of 1996 233 1. Overview of HIPAA 233 2. Potential Privacy Issues with HIPAA 239 3. Department of Health and Human Services' Notification of Relaxed Enforcement 239 III. ANALYSIS 243 A. Although Congress Appears Unwilling to Compromise on any Issues, Congress is Willing to Address and Act on Issues Involving Healthcare 243 B. The FCC Should Have a Larger Role in Regulating Telehealth Due to its Expertise in Communications and History with Telemedicine 245 C. HIPAA Should Retain Flexibility but Should Include Best Practices for Ensuring Data Privacy, and Agencies Should Coordinate on Implementation of Privacy Standards 246 1. Maintaining Flexibility 246 2. Covered Entities Should Implement Privacy Safeguards 246 3. Best Practices for Maintaining Data Privacy 248 4. Agency Coordination 249 D. The Proposal to Reform HIPAA is Limited by Security Risks Posed by Patients Using Telehealth Services, but Health Care Providers Can Mitigate These Risks 249 IV. CONCLUSION 250 I. INTRODUCTION

Imagine consulting with your doctor or medical team through videoconferencing platforms or over messaging apps, but those platforms and apps are not encrypted or otherwise secure. Further, imagine that the device your doctor used to communicate with you is stolen, allowing the thief to view your personal health information. This is not an imaginary problem. In 2013, four unencrypted laptops belonging to Advocate Health Care that contained personal health information were stolen, and another unencrypted laptop with the personal information of over 2,000 patients was stolen from an employee's car. (1) The theft of unencrypted devices is not the only risk to patient privacy, however. Risks to patient privacy include ransomware attacks, health care providers sending private health information to the wrong person, and sending and storing unencrypted health information, including videos. (2)

Prior to the coronavirus pandemic, the use of telehealth services was uncommon. (3) Due to the pandemic, the use of telehealth services has increased, allowing people to receive routine checkups and medical care without risking their health by entering a hospital or doctor's office. (4) Although these telehealth services have provided much needed medical care during the pandemic, they have raised numerous patient privacy concerns. Because the pandemic made telehealth services a necessity to prevent in-person contact, several health care providers had to implement telehealth services quickly. Many of these services have likely not undergone the normal security checks and may not comply with the Health Insurance Portability and Accountability Act ("HIPAA").

During the pandemic, the Department of Health and Human Services ("HHS") announced that it would not penalize covered health care providers using video chatting platforms that may not be HIPAA compliant for telehealth services "in connection with the good faith provision of telehealth during the [pandemic]." (5) This regulatory discretion in enforcement implicates patients' data privacy. Because telehealth services will likely remain popular after the pandemic, Congress should reform HIPAA so that it maintains flexibility regarding telehealth platforms while protecting patients' personal information. HIPAA should be reformed to include more detailed provisions concerning best practices for maintaining data privacy, such as two-factor authentication and firewalls, and include technical requirements for devices used to connect with patients, such as encryption.

Part A of the Background section of this Note provides an overview of telehealth services and the agencies involved in regulating and providing access to those services. Additionally, Part A describes the expansion of telehealth services in the United States. Part B of the Background presents a brief overview of HIPAA, its limitations, as well as an overview of HHS' Notification of Relaxed Enforcement. Moreover, Part B describes the roles agencies, particularly the FCC, play in overseeing and implementing telehealth services. Part A of the Analysis demonstrates the feasibility of Congress addressing matters relating to healthcare despite intense congressional polarization. Part B of the Analysis argues that the FCC should be given a larger role in regulating telehealth services, and Part C proposes reforms that should be made to HIPAA to increase flexibility while providing greater protection to patients' private information. Finally, Part D addresses potential limitations of the proposal and provides possible solutions to those limitations.

2. BACKGROUND

   1. Overview of Telehealth Services

      1. Definition and Expansion of "Telehealth Services"

         Telehealth services is "the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration." (6) These services can be provided through audio, text, and video. (7) They are designed to overcome geographic barriers in connecting with patients for clinical services through information and communication technologies (e.g., computers, cell phones, etc.). (8)

         Prior to the coronavirus pandemic, the use of telehealth services was uncommon. Based on a sample of health benefit claims in 2018, only 2.4% of patients enrolled in large employer health plans that included outpatient services had used a telehealth service. (9) By May of 2020, a poll had found that at least 23% of adults had utilized telehealth services, and that number has exponentially grown. (10) A global study from July 2021 found that, out of 5,000 responses, almost half had engaged in telehealth services. (11) Over 80% of the group that had used telehealth services used those services during the pandemic in order to minimize in-person interactions. (12) Furthermore, 63% of respondents stated that they plan to continue using telehealth services post-pandemic, and 77% stated that they "enjoyed using telehealth." (13) In addition to the increasing usage of telehealth services, investments in those services have increased. (14) In August 2021, the Biden-Harris Administration declared "a $19 million investment to expand telehealth and improve access in rural communities." (15) Furthermore, a study found that 76% of employers expanded their telehealth services during the pandemic and that they plan to continue providing telehealth options post-pandemic. (16) Given its increased usage and investment, as well as the convenience telehealth services provide both patients and doctors, telehealth services will likely remain popular after the pandemic. The continued use of telehealth services makes agency regulation extremely important.

      2. Agency Regulation and Oversight of Telehealth Services

         A variety of government agencies, including HHS and the FCC, are involved in regulating and providing greater access to telehealth services. The FCC has long been involved in telecommunications, including telehealth and telemedicine. In the Telecommunications Act of 1996, Congress ordered the FCC to "encourage the deployment on a reasonable and timely basis of advanced telecommunications capability to all Americans." (17) In 2006, the FCC created the Rural Health Care Pilot Program aimed at introducing telemedicine and telehealth services to rural areas. (18) Moreover, in 2014, the FCC formed the Connect2Health FCC Task Force, which is concerned with "the critical intersection of broadband, advanced technology, and health with the primary goal of ensuring that advanced health care solutions are readily accessible to all Americans." (19) Additionally, the FCC worked with the Food and Drug Administration and the Office of the National Coordinator for Health Information Technology to propose "recommendations on appropriate, risk-based regulatory framework pertaining to health information technology... that promotes innovation, protects patient safety, and avoids regulatory duplication." (20)

         During the pandemic, Congress furthered the FCC's role in telehealth by passing the Coronavirus Aid, Relief, and Economic Security Act ("CARES Act"). (21) The CARES Act allocated $200 million to the FCC for the expansion of telehealth services across the U.S. (22) The FCC was authorized to use these funds "to prevent, prepare for, and respond to coronavirus, domestically or internationally, including to support efforts of health care providers to address coronavirus by providing telecommunications services, information services, and devices necessary to enable the provision of telehealth services during an emergency period." (23) With this increased funding, the FCC has focused on providing telehealth services to people in remote areas. (24) It uses these funds to enable eligible nonprofit and public health care providers to buy telecommunications services and devices necessary to use those services. (25)

         In addition to allocating funds to the FCC to expand telehealth services, the CARES Act encourages the expansion of telemedicine in general. (26) For example, Section 3212 adds $29 million in annual funding for 2021 through 2025 to develop "'evidence-based projects that utilize telehealth technologies through telehealth networks.'" (27) Moreover, Section 3707 instructs the Secretary of HHS to "encourage the use of telecommunications systems" in home health services during the emergency period. (28) Other provisions in the CARES Act provide for reimbursement of particular telehealth services for seniors on Social Security and encourage the Secretary of Veterans Affairs to enter into contracts to expand telehealth services for veterans. (29) Although the...