Law in the Internet Society

Telehealth, Privacy, and Covid-19 pandemic

-- By KatharinaRogosch - 08 Dec 2021

Since the start of the Covid-19 pandemic, the provision of healthcare has moved from in-person appointments to a greater use of telemedicine services. Telehealth services use telecommunications and information technology to provide access to health assessment, diagnosis, intervention, consultation, supervision and information across distance.

HIPAA Regulations

The Health Insurance Portability and Accountability Act (“HIPAA”) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA regulations are especially pertinent for telehealth services as they use patients’ electronic protected health information (“ePHI”) over electronic communications networks. Consequently, telehealth providers must ensure that:
  1. Only authorized users have access to ePHI
  2. A system of secure communication is implemented to protect the integrity of ePHI
  3. A system of monitoring communications containing ePHI is implemented to prevent accidental or malicious breaches

While the focus of the HIPAA regulation is on the security of ePHI, the standard used to secure communications is encryption. This means that if telehealth communications are conducted over email or text, these messages must be encrypted. Technically, a phone call conversation between a healthcare provider and a patient will satisfy the HIPAA rules, but the sharing of any further communications through any other means than a phone call will not. For example, if the healthcare provider shares any follow-up information after the phone call that contains ePHI via unencrypted email or text messages, this violates the HIPAA rules. The main aim of the HIPAA regulations is on ensuring that any ePHI that is shared before and after the telehealth appointment is done through an encrypted platform. Consequently, it comes as no surprise that a majority of telemedicine services were provided through hospital-designed platforms.

Impact of the Covid-19 pandemic on HIPAA privacy standards

During the onset of the Covid-19 pandemic, both the Centers for Medicare and Medicaid Services (CMS) and the US Department of Health and Human Services (“HHS”) took unprecedented action to expand telehealth. One important aspect of the broadening of telemedicine services is that these services are no longer limited to telemedicine platforms designed by healthcare providers themselves. Telemedicine services during the pandemic can be provided on acceptable service vendors that use non-public facing platforms such as FaceTime? , Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype.

While the move to allow the provision of telehealth services through easily accessible communications platforms was to ensure easy access to medical services during the pandemic, this opening-up of telemedicine has resulted in additional complications about the security of telehealth services. For example, before the pandemic, the focus was on ensuring that pre-and post- telehealth appointment communication was encrypted so as not to share any ePHI. However, using services such as Zoom during the pandemic has raised concerns about the recording of the actual telehealth appointments and the sharing of ePHI discussed during these.

The HHS opening-up of telemedicine calls through platforms such as FaceTime? and Facebook Messenger exposes individuals and their private medical data. For example, with over 200 million users, Zoom is the most popular video application but still faces cybersecurity challenges with “zoombombing”, a term used when calls are infiltrated by hackers. Concerns about the HIPAA compliance of Zoom were even expressed as early as March 2020, with one commentator underlining that “there are serious concerns about the security of Zoom” and that “this creates doubts about using Zoom for communicating medical information, which needs to be fully protected”. If worries have been raised about the provision of telemedicine appointments through the Zoom platform, it is even more concerning that these online medical appointments can be handled through Facebook Messenger as well.

Doxity and Telehealth services

Doximity is a professional medical network for U.S. healthcare professionals as part of which more than 80% of US doctors and 50% of nurse practitioners and physician assistants are members. Doximity functions as a separate application as part of which physicians can “securely” connect and collaborate with other healthcare professionals about patient treatment and patient referrals. Doximity is unique because it also acts as a telemedicine provider (through Doximity Dialer and Video), however, the way it addresses physicians’ privacy and security makes it an interesting case study for the interactions between telemedicine, the Covid-19 pandemic, and privacy.

There are two features of Doximity’s application that make it a unique telemedicine provider: Doximity Dialer and Video, which is a feature on the company’s mobile application that allows physicians to call patients using cell phones while displaying any phone number of choice on the patients called ID, and secondly, the fact that Doximity Dialer is HIPAA secure platform that facilitates encrypted communications with patients. Unlike the majority of telemedicine providers, Doximity developed video-call capabilities as part of their own application and made these HIPAA-complaint in a time when HIPAA compliance has been waived by the HHS. Even though Doximity’s secure video-call capabilities make it stand out from other telemedicine providers that instead use services such as Zoom, this is not what makes Doximity special. Instead, it is the combination of both a secure communications platform and video-conferencing capacities that protect patients’ ePHI before, during, and after the telehealth appointment.


While this essay has heralded the design of the Doximity application, namely for its HIPAA compliance and ability to protect the physician’s privacy, the design of the application targets physicians and not patients. This means that the focus is on ensuring that physicians are not harmed by direct contract with patients, and the protection afforded to the patient using the platform happens to be a positive consequence of this design. The Doximity Dialer still retains patient information; however, in comparison to applications such as Facebook Messenger and Zoom, individual patients can view the data that is collected on the application and remove it. This creates a dilemma this essay was hoping to explore, namely, that how to balance individual privacy with increased access to telemedicine during the Covid-19 pandemic.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 16 Jan 2022 - 23:53:00 - KatharinaRogosch
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM