Doctors are quick to adopt new technologies when they are used to treat illnesses, but they are practically luddites when it comes to the technology used to communicate with us, their patients. But one of the pandemic’s more surprising side effects has been the new drive to treat patients remotely via telemedicine. Now, in the rush to expand contactless medicine, doctors are moving much faster than the regulators, potentially leaving some patients at risk.
Routine appointments that once happened in person are moving onto digital platforms, raising the risk of hacking in real time and threatening doctor-patient confidentiality. Telehealth was a multibillion-dollar industry before the arrival of COVID-19, but use increased nationally by more than 5,000% in both April and May 2020 when compared to the prior year. The money involved is staggering. Earlier this month virtual healthcare provider Teledoc announced the purchase of Livongo, a mobile health management platform, for $18.5 billion in what amounted to the largest digital health deal in history. But there was consolidation even prior to the pandemic.
In 2019, Amazon purchased PillPack for $753 million, giving the tech behemoth an entry point to the consumer prescription delivery sector. Google attempted to snap up Fitbit for a cool $2.1 billion, but the acquisition is delayed pending a European Union investigation into data protection.
It is easy to see why companies like Amazon are interested in exploiting the telehealth market. The average PillPack user in 2018 generated $5,000 in revenue, nearly four times the typical Prime user. And as most PillPack users are in their 50s and 60s, they are statistically less likely to switch away to rival firms.
More importantly, these patients are an invaluable source of data. Amazon is already utilizing AWS and the Alexa voice division to consolidate medical records and data mine customer information. Independent pharmacists have warned that Amazon violates patient privacy, calling rival pharmacists’ customers to request that they transfer their prescriptions to Amazon. Amazon has refused to reveal how it obtained these patients health and contact data. Additionally, one Amazon data vendor, ReMy Health, recently came under fire for concealing who has access to its sensitive patient information.
Even without corporate consolidation, telemedicine poses pronounced privacy and security risks. As the number of telehealth transactions grows, so too does the attractiveness of telehealth providers as targets for hackers and other malicious actors. Last year, prior to the pandemic, the healthcare industry already saw a 49% increase in hacking, impacting 41.4 million patient records.
Sadly, the federal laws that protect this growing pool of data have gone largely unchanged for a quarter century. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) offers several protections for patient data. But in March, the Department of Health and Human Services Office for Civil Rights announced it would “exercise enforcement discretion and waive penalties for HIPAA violations” for remote healthcare service. In other words, telemedicine providers got a free pass on privacy. Suspending privacy protections as an emergency measure makes sense, but more than five months later, there’s a real risk that this temporary workaround will become a permanent loophole.
HIPAA was enacted to protect Americans with preexisting conditions from discrimination and marginalization. Without HIPAA’s minimal protections, our health data is vulnerable to an array of abuses. While these dangers have to be balanced out against the exigencies of our current public health crisis, they shouldn’t be ignored. Rather than simply responding to the latest crisis, policy makers should create privacy protections that balance patient safety and the need for flexibility.
As remote healthcare services are extended beyond the pandemic, providers must take all steps necessary to secure our sensitive health data. Encryption, threat monitoring, risk assessment, user training, and informed consent are all vital to reducing the risk of data breaches. The companies capitalizing on the rapid expansion of the telehealth industry must also formalize and document their security practices, with real accountability when they fall short. When reassessing the HIPAA waivers enacted during the pandemic, regulators must take the time to consider data security concerns unique to digital healthcare and interoperable technology, updating the standards accordingly.
Lastly, regulators and lawmakers should tend to those left behind in the transition to telehealth. Video consultations and other online services threaten to leave many untreated, with broadband internet access becoming a literal lifeline. Americans on the far side of the digital divide—those without smartphones, computers, or consistent connectivity—are increasingly shut out from the virtual physician’s office. This means that many of those lower-income communities hit hardest by COVID-19 will also have the hardest time finding medical help.
It won’t be easy to create rules for an entire subfield of medicine, but it is certainly urgent. Health data is held to a heightened privacy standard for a reason. As we open the door to the provision of digital healthcare and the development of related technology, we cannot leave that door open to new and dangerous security risks.
Albert Fox Cahn (@FoxCahn) is the founder and executive director of the Surveillance Technology Oversight Project (S.T.O.P.) at the Urban Justice Center, a New York-based civil rights and privacy group, and a fellow at the Engelberg Center for Innovation Law & Policy at N.Y.U. School of Law. Melissa Giddings is a legal fellow at the Surveillance Technology Oversight Project.