Tele-health privacy concerns are a barrier to therapy
Here in the States, you hear about your insurance company waiving co-pays for tele-health therapy visits in these “uncertain times,” but searching for providers confronts you with even more uncertainty. How do you evaluate their practices for safety and privacy? Every other practitioner subscribes to a different platform. Some, to my horror, use Zoom. Others have adopted a software suite to manage their entire practice. These therapists rely on the same company for scheduling appointment reminders, recording session notes, billing insurance, and running a video chat. When I have requested to connect via Signal, they express a preference for their platform, usually citing HIPAA compliance. One recommended a finding a provider who uses paper records as the only avenue open to me. But wasn’t there a time before companies like Spruce, SimplePractice, and TheraNest, where sensitive session notes were somehow distinct, less “networked” than today? How are therapists determining the privacy and security protections of their platform? How do I? Does anyone have experience with these companies?
This is incredibly usual, electronic health record platforms are quite extensive nowadays. The big names in the US are EPIC and Cerner. AllScripts is in 3rd place, but frankly a minor player in comparison and primarily in the outpatient space.
They aren't. Companies are only willing to advertise HIPAA compliance if they've done their due diligence and are willing to sign legal BAAs with whomever runs the physician's office.
HIPAA compliance, especially with respect to digital privacy is spelled out in detail in the HITECH act of ARRA. A summary from a security perspective can be found at that link.
The long and short of it, however, is that the potential for very substantial fines makes it so practically no one wants to ensure HIPAA compliance. It's incredibly hard to get even end to end encrypted companies to advertise their product as HIPAA compliant or sell their product to healthcare companies.
That being said, even when zoom is used, your healthcare provider is responsible for HIPAA violations if any of your data were to be leaked or captured in any fashion, as would zoom.
Extensive. I work in data science in health care.
So, HIPAA compliance is such a high hurdle—or, such an expensive one to trip over—that a messaging platform’s promise of clearing it is a sufficient surety seal (that they do), and further, I should not expect to see FOSS making such promises. Am I drawing the correct conclusions? And am I right in supposing that using Signal would not require a BAA, but would necessitate more steps in the provider's record-keeping protocol in order maintain HIPAA compliance?
It's not so much a hurdle as it is a liability but yes.
Correct
BAAs are used to protect liability, it's unlikely that whomever owns/runs your provider's clinic would be willing to use any product without a signed BAA.
I'm interested in Telehealth therapy, but I don't have a place where I can talk in private, out of earshot of roommates and neighbors. The closest I can get is setting in my car. For me, the concerns start even more basic.
Wait until your therapist diagnoses your privacy qualms as an irrational feature of an anxiety disorder! Privacy education and restoration are critical needs. I hope the conferences and workshops docs attend can address the issue.
Gosh, yes, it's really frustrating. My therapist refused to even talk on the telephone, cagily and nonsensically citing HIPAA requirements which he could not describe in any detail. I guess I need a webcam to receive therapy?? And my psychiatrist knows and manages his own schedule but for some reason he can only describe it vaguely, so getting follow-up appointments on the books is a long process of me asking when he would be available. Both of these services are very hemmed in by the software suites they employ and it makes them much less useful.
Seriously. I understand the preference for video, since giving and observing non-verbals is an important aspect of many modalities, but there has to be flexibility. Your comment about scheduling with your psychiatrist brings me back. A former p-doc of mine made me feel like she was very carefully sorting the contents of an ancient recipe box over the last six minutes of each appointment.
On the flip side, my health provider insists that Zoom is a secure method of having doctor appointments.
Have you found a better alternative I can suggest to my therapist? I asked her if we could use something else but I also ran into the HIPAA compliance wall. I don't want to be stuck on Zoom.
Sorry I missed this.
Doxy reassured me. They don't require sign-up from the patient, are free for the provider, and seem to collect minimal data. There are intermittent issues on Firefox, however.