On April 21, 2020, Thora Johnson was quoted in Bloomberg Law discussing the lawsuits and state actions doctors might face as a result of patient privacy violations that occur through the use of video conferencing tools—even after federal regulators relaxed enforcement.
According to the article, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has said it won’t penalize providers for “good faith” telehealth use during the coronavirus pandemic that violates the Health Insurance Portability and Accountability Act’s Privacy Rule (HIPAA). But the video apps still must protect patient data, including notes, treatments, and lab reports, under HIPAA’s Security Rule.
Legal enforcement waters can get muddy when video conferencing app vendors are business associates of healthcare providers, Johnson said. Business associates, by law, are subject to the same patient data protection responsibilities as health providers. Tech companies under business-associate agreements, then, are subject to HHS enforcement in the event of a security failure, she said.
“It can get very tricky because the provider of the video conferencing tool may actually be in a business-associate role,” Johnson said.
Aside from state enforcement, providers also face the risk that patients who believe a video consultation violated their privacy could sue. Lawsuits could be brought under the California Consumer Privacy Act if the security around telehealth platforms is lacking, said Johnson.
Click here to access the article.