13 votes

Tele-health privacy concerns are a barrier to therapy

Here in the States, you hear about your insurance company waiving co-pays for tele-health therapy visits in these “uncertain times,” but searching for providers confronts you with even more uncertainty. How do you evaluate their practices for safety and privacy? Every other practitioner subscribes to a different platform. Some, to my horror, use Zoom. Others have adopted a software suite to manage their entire practice. These therapists rely on the same company for scheduling appointment reminders, recording session notes, billing insurance, and running a video chat. When I have requested to connect via Signal, they express a preference for their platform, usually citing HIPAA compliance. One recommended a finding a provider who uses paper records as the only avenue open to me. But wasn’t there a time before companies like Spruce, SimplePractice, and TheraNest, where sensitive session notes were somehow distinct, less “networked” than today? How are therapists determining the privacy and security protections of their platform? How do I? Does anyone have experience with these companies?

9 comments

  1. [3]
    Gaywallet
    Link
    This is incredibly usual, electronic health record platforms are quite extensive nowadays. The big names in the US are EPIC and Cerner. AllScripts is in 3rd place, but frankly a minor player in...

    These therapists rely on the same company for scheduling appointment reminders, recording session notes, billing insurance, and running a video chat.

    This is incredibly usual, electronic health record platforms are quite extensive nowadays. The big names in the US are EPIC and Cerner. AllScripts is in 3rd place, but frankly a minor player in comparison and primarily in the outpatient space.

    How are therapists determining the privacy and security protections of their platform?

    They aren't. Companies are only willing to advertise HIPAA compliance if they've done their due diligence and are willing to sign legal BAAs with whomever runs the physician's office.

    How do I?

    HIPAA compliance, especially with respect to digital privacy is spelled out in detail in the HITECH act of ARRA. A summary from a security perspective can be found at that link.

    The long and short of it, however, is that the potential for very substantial fines makes it so practically no one wants to ensure HIPAA compliance. It's incredibly hard to get even end to end encrypted companies to advertise their product as HIPAA compliant or sell their product to healthcare companies.

    That being said, even when zoom is used, your healthcare provider is responsible for HIPAA violations if any of your data were to be leaked or captured in any fashion, as would zoom.

    Does anyone have experience with these companies?

    Extensive. I work in data science in health care.

    9 votes
    1. [2]
      etiolation
      Link Parent
      So, HIPAA compliance is such a high hurdle—or, such an expensive one to trip over—that a messaging platform’s promise of clearing it is a sufficient surety seal (that they do), and further, I...

      So, HIPAA compliance is such a high hurdle—or, such an expensive one to trip over—that a messaging platform’s promise of clearing it is a sufficient surety seal (that they do), and further, I should not expect to see FOSS making such promises. Am I drawing the correct conclusions? And am I right in supposing that using Signal would not require a BAA, but would necessitate more steps in the provider's record-keeping protocol in order maintain HIPAA compliance?

      3 votes
      1. Gaywallet
        Link Parent
        It's not so much a hurdle as it is a liability but yes. Correct BAAs are used to protect liability, it's unlikely that whomever owns/runs your provider's clinic would be willing to use any product...

        So, HIPAA compliance is such a high hurdle—or, such an expensive one to trip over—that a messaging platform’s promise of clearing it is a sufficient surety seal (that they do)

        It's not so much a hurdle as it is a liability but yes.

        I should not expect to see FOSS making such promises.

        Correct

        am I right in supposing that using Signal would not require a BAA, but would necessitate more steps in the provider's record-keeping protocol in order maintain HIPAA compliance?

        BAAs are used to protect liability, it's unlikely that whomever owns/runs your provider's clinic would be willing to use any product without a signed BAA.

        3 votes
  2. Litmus2336
    Link
    I'm interested in Telehealth therapy, but I don't have a place where I can talk in private, out of earshot of roommates and neighbors. The closest I can get is setting in my car. For me, the...

    I'm interested in Telehealth therapy, but I don't have a place where I can talk in private, out of earshot of roommates and neighbors. The closest I can get is setting in my car. For me, the concerns start even more basic.

    8 votes
  3. [2]
    tempestoftruth
    (edited )
    Link
    I can relate. I've been putting off texting my therapist to set up online meetings for months now, and I can see my own reasoning in some of the doubts you're putting forward. It's quite ironic...

    I can relate. I've been putting off texting my therapist to set up online meetings for months now, and I can see my own reasoning in some of the doubts you're putting forward.

    It's quite ironic (and reflective of the society that we live in) that the therapists cite, as their reason for using a less secure platform, a piece of legislation that is ostensibly designed to protect your privacy. It's not their fault, since we're all operating in a system that places huge burdens on non-wealthy people who find themselves in legal jeopardy, even if they've taken all the proper precautions (like using a secure, E2EE platform like Signal for online therapy sessions). We need serious changes in how the right to privacy is conceptualized and implemented in the United States, and encryption needs to become an expected feature of online communications (proper end-to-end encryption where the end users hold the encryption keys), among more structural changes that could begin to address these problems.

    6 votes
    1. etiolation
      (edited )
      Link Parent
      Wait until your therapist diagnoses your privacy qualms as an irrational feature of an anxiety disorder! Privacy education and restoration are critical needs. I hope the conferences and workshops...

      Wait until your therapist diagnoses your privacy qualms as an irrational feature of an anxiety disorder! Privacy education and restoration are critical needs. I hope the conferences and workshops docs attend can address the issue.

      4 votes
  4. [3]
    Qis
    Link
    Gosh, yes, it's really frustrating. My therapist refused to even talk on the telephone, cagily and nonsensically citing HIPAA requirements which he could not describe in any detail. I guess I need...

    Gosh, yes, it's really frustrating. My therapist refused to even talk on the telephone, cagily and nonsensically citing HIPAA requirements which he could not describe in any detail. I guess I need a webcam to receive therapy?? And my psychiatrist knows and manages his own schedule but for some reason he can only describe it vaguely, so getting follow-up appointments on the books is a long process of me asking when he would be available. Both of these services are very hemmed in by the software suites they employ and it makes them much less useful.

    5 votes
    1. etiolation
      Link Parent
      Seriously. I understand the preference for video, since giving and observing non-verbals is an important aspect of many modalities, but there has to be flexibility. Your comment about scheduling...

      Seriously. I understand the preference for video, since giving and observing non-verbals is an important aspect of many modalities, but there has to be flexibility. Your comment about scheduling with your psychiatrist brings me back. A former p-doc of mine made me feel like she was very carefully sorting the contents of an ancient recipe box over the last six minutes of each appointment.

      4 votes
    2. moonbathers
      Link Parent
      On the flip side, my health provider insists that Zoom is a secure method of having doctor appointments.

      On the flip side, my health provider insists that Zoom is a secure method of having doctor appointments.

      1 vote