Skip to main content

Opinion: Privacy risks climb in era of big data

With telemedicine in its infancy, now is the time to strengthen patient privacy laws
February 11, 2015

Last week, Anthem Blue Cross crossed a high-water mark. Some 80 million patients were left adrift after cybercriminals breached Anthem’s database, putting them at risk for identity theft. 80 million exceeds the previous five years of data breaches combined and recorded at the Health and Human Services Office for Civil Rights data breach hall of shame.

One might question what it really means to be “HIPAA compliant.”

Data = $$$ in e-health. The ‘P’ in HIPAA isn’t for privacy. It’s for (P)ortability—the kind that (H)ealth (I)nsurance companies need to make sure Big Money flows through America’s fragmented health care “system.” Who takes (A)ccountability for safeguarding our health data if we don’t know where our data flows? Like small tributaries to rivers that eventually feed into oceans, Big Data/Big Money emerges from little data/little money tributaries.

We need dams to control the flow of data, especially when new technology releases a new digital stream. Senate Bill 144 could create a digital flood. This bill stipulates requirements for health plans to cover telemedical services.

Telemedical services in Oregon are “delivered through a two-way video communication” which allows a health professional to interact with patients in the comforts of their home… or work… or anywhere their mobile device may be. Last year, Oregon insurance companies and hospitals killed a similar bill, threatened by ZoomCare—which had already cornered the paying customers market in the Portland metro. ZoomCare currently charges patients $85 cash for Skype TakeOut®.

Google Ventures into healthcare

The ZoomCare/Skype dynamic duo has a new competitor in Oregon: Doctor on Demand. Dr. Phil and his son, Jay (executive producer of The Doctors), have teamed up with Jonathan Bush (nephew of George H.W., and President/CEO of athenahealth, a “leading provider of cloud-based services and mobile applications for medical groups and health systems”) and deep-pocketed venture capitalists: Andreessen Horowitz, Venrock, Lerer Ventures, Shasta Ventures and Google Ventures.

Google Ventures says it will provide “unparalleled support in design, recruiting, marketing, and more” to the portfolio of companies it invests in. Andreessen Horowitz is a $4 billion venture capital firm. Marc Andreessen and Ben Horowitz were criticized for investments in Skype that were deemed risky because of feared competition from Google and Apple. When Microsoft acquired Skype in 2011 for $8.5 billion their bet paid off. Their partnership with Google is a brilliant move.

Whether the “more” that Google Ventures supports is lawful is another thing. Google Ventures’ portfolio includes Recorded Futures, a joint investment with the CIA. Google relies on advertising to monetize its “free” services by using “cookies.”

In a lawsuit against Google, students claim Google violated federal and state wiretap laws by intercepting electronic Gmail messages and data-mining those messages for advertising-related purposes–including the building of “surreptitious user profiles.” Judge Lucy Koh, whose jurisdiction is in the heart of Silicon Valley, denied a motion from Google to dismiss the case entirely. She rejected the company’s argument that Gmail users agreed to let their messages be scanned when they accepted subscription service terms and privacy policies.

Snowden revelations showed the National Security Agency secretly piggybacked Google cookies for surveillance and to track targets. Skype worked also with the NSA; and while it’s still uncertain whether Skype protects end-to-end encryption, Skype stored videoconferencing communications for the NSA.

Televangelists unite

Dr. Phil, hawking Doctor on Demand services for UTIs, flu and psychotherapy on YouTube (a subsidiary of Google since 2006), must have faith that HIPAA security rules won’t be a barrier to their business plan. He says they are going to have “some type of storage of information”—which is concerning since federal law specifically protects psychotherapy notes from unauthorized use or disclosure.

Dr. Phil and his business associates must have felt solace when fellow health televangelist Dr. Oz and his “NY Med” TV crew fought a lawsuit for broadcasting a man’s death without his or his family’s consent. The show’s attorneys argued, “(T)he law prohibits medical professionals from sharing information about a patient only after he has been examined or treated.” “After” is the operative word.

Doctor on Demand’s terms of use states, “We will maintain the privacy of your Health Information as required by HIPAA and the regulations promulgated under that Act. We may also use your health information to: Assist in specialized government functions such as national security, intelligence and protective services.”

It further states:

Google Analytics collects only the IP address assigned to you on the date you visit the Site, rather than your name or other personally identifying information. Although Google Analytics plants a persistent Cookie on your web browser to identify you as a unique user the next time you visit the Site, the Cookie cannot be used by anyone but Google. Google’s ability to use and share information collected by Google Analytics about your visits to the Site is restricted by the Google Analytics Terms of Use and the Google Privacy Policy.

“Persistent cookies” identify information about the user, such as Web surfing behavior or user preferences for a specific Web site. In contrast to a “session cookie”, persistent cookies are stored on the hard drive until the user deletes the cookie.

Skype’s privacy policy, on the other hand, doesn’t even mention HIPAA.

Telehealth security holes and HIPAA compliance

The Telehealth Alliance of Oregon references a white paper from the Center for Telehealth and e-Health law. “As defined in the Security Rule, ePHI (Protected Health Information)… does not include paper-to-paper faxes, video teleconferencing, or messages left on voice mail—because the information being exchanged did not exist in electronic form prior to the transmission.”

SB 144 stipulates: “The application and technology used to provide the health service meet all standards required by state and federal laws governing the privacy and security of protected health information.”

Would telemedicine in Oregon be HIPAA compliant for security? When the HIPAA Security Rule excludes the need for business associates to provide secure transmission for teleconferencing, sure!

But even if the bill’s language is amended to specifically include teleconferencing, shouldn’t the bill mandate end-to-end encryption and other protections?

Regardless, Doctor on Demand venture capitalists are betting patients will charge $40 to their credit card for digital urgent care—even if it’s not coved by insurance. Just launch your Chrome browser and paste their web address into Chrome. Or if you prefer, you can download an app from the Apple App Store or Google Play and use your smart phone!

Just don’t expect a face-to-face appointment unless you have plenty of frequent flyer miles. The doc-in-a-computer-box most likely does not live in Oregon, let alone have a license to practice here.

I called the Doctor on Demand patient support number. When nobody answered, I called doctor support and talked to a representative. He told me I could immediately get appointments with either Dr. Christopher Pedersen or Dr. Kristin Dean. Dr. Pederson (who lives in Las Vegas, Nevada) received an Oregon telemedicine license on 12/23/14. Dr. Dean lives in California where she is licensed to practice medicine -- but she is not licensed in Oregon, which may violate Oregon law.

There will be fines

Last year, New York-Presbyterian Hospital and Columbia University Medical Center (the same hospitals where NY Med is filmed) were fined a record $4.8 million to settle HIPAA violations. HHS OCR performed its first piloted HIPAA audit in March 2014. 58 of 59 covered entities had at least one negative finding. In 2015, HHS OCR will shift their focus will to business associates. While there is no private right of action (i.e. no civil lawsuits) for HIPAA violations, individuals have successfully sued for negligence.

In contemplating the Anthem breach, Dan Munroe a contributor to Forbes recommends, “Healthcare enterprises need to establish airtight policies for encrypting all data both in transit and at rest.” He quotes Linn Freedman (who practices data privacy and security law with Nixon

Peabody, LLP): “When OCR (Office of Civil Rights) begins enforcing HIPAA and levies hefty fines and penalties against business associates, they will wake up quickly. In the meantime, patients’ health information is at risk and I have seen a dramatic increase in breaches caused by business associates which have not implemented measures to comply with HIPAA’s Security Rule.”

Maybe it’s just me, but I don’t know how you could ever pin data breaches on Google. After all, their mission is to “organize the world’s information and make it universally accessible and useful.”

Oregon telemedicine is in its infancy. We should urge Oregon lawmakers to strengthen state and federal laws to assure patients that their telemedicine visits will be confidential before more data dams are breached.

To see a Word document version of this story that includes footnote, click here

Comments