Surge in virtual care brings increased privacy risks
In September, Costco became the latest retailer to venture into virtual primary care, offering its members $29 telehealth visits, $72 standard lab panels with consult, and $79 virtual therapy visits. This follows Amazon’s leap into limited in-person and mostly virtual primary care with its purchase of One Medical earlier in the year, roughly three years removed from the launch of Amazon Pharmacy in 2020.
Alongside these retail giants, startup companies like BetterHelp and Calmerry have emerged as players in the market for online mental health therapy, responding to both the surge in demand for mental health services coming out of the COVID-19 pandemic and the desire for convenient access to therapy in the privacy of one’s own environment.
When sharing personal and sensitive health information virtually or in person with a healthcare provider, you expect your information to remain private and secure, but is it?
In most instances, your healthcare provider will be a “covered entity” subject to the Health Insurance Portability and Accountability Act (HIPAA), a federal law that protects sensitive patient health information from being disclosed without patient consent or knowledge. However, not all healthcare providers are subject to HIPAA requirements. If a healthcare provider does not accept insurance — and thus does not submit electronic claims to insurers for billing purposes — then the provider is not a covered entity subject to HIPAA requirements.
Many of these emerging companies offering virtual options for convenient care have opted not to accept health insurance, and their reasons for doing so vary. Some do not believe that a reduced negotiated rate for the healthcare services they offer would leave them with a viable business model, and that a direct patient payment model is the only sustainable path. Some believe that removing third-party interference enhances the patient-provider dynamic. Others just want to avoid the hassle and complexity of the rules for maintenance of medical records, billing compliance and prior authorization requirements to obtain certain treatments for patients.
On one hand, a healthcare provider’s decision not to accept insurance can give them more control about how they interact with their patients. On the other hand, it frees them from oversight and certain legal requirements, including HIPAA, that are intended to protect patients from bad actors.
What does this mean if you decide to use these types of services that do no accept insurance? It means that the Office of Civil Rights in the U.S. Department of Health and Human Services — the agency that enforces HIPAA — cannot protect you from unauthorized disclosures of your personal health information. The Arkansas Personal Information Protection Act — enforced by the Arkansas Attorney General through deceptive trade practice law — offers some limited protection for failure to “maintain reasonable security procedures and practices” to protect personal information “from unauthorized access, destruction, use, modification, or disclosure,” but the law does not specify what disclosures may be appropriate.
Some states are filling gaps in federal privacy laws. For example, the California Consumer Privacy Act provides privacy protections including the right to know about the personal information an entity collects and how it is used and shared, the right to opt out of sharing personal information, and the right to correct inaccurate personal information.
Under its authority to enforce federal laws prohibiting unfair and deceptive trade practices, the Federal Trade Commission has also been active regarding mishandling of patient data. In March, the FTC announced that it had banned BetterHelp from revealing patient data including mental health information to social media sites for advertising and fined the company $7.8 million for failing to keep its promise not to do so. This issue also has the attention of Congress, prompting hearings during which policymakers questioned telehealth companies on their data-sharing practices and the introduction of a bill called the Upholding Protections for Health and Online Location Data Privacy Act.
To be fair, many of these emerging virtual care providers agree to abide by HIPAA requirements even though they are not subject to them or otherwise offer privacy and security protections in the terms and conditions for use of their services. It’s critical that you read and understand their privacy policies, including how your personal information is collected and used.
Other ways to protect your personal information include:
- Educating yourself about the platform you are using so you can make informed choices about the privacy protections offered.
- Opting out of optional cookies that share data about how you use the platform or that gather information for targeted marketing or advertising.
- Not allowing the platform to access to your social media accounts, contacts, and location where possible.
- Asking if the platform has a HIPAA-compliant policy, and requesting documentation.
Virtual care — particularly for mental health needs — certainly has the potential to enhance access, but there are always tradeoffs in healthcare. If you decide to use one of these services, make sure your information is as protected as possible. Don’t trade your privacy for convenience.
Editor’s note: Craig Wilson, J.D., M.P.A., is the director of health policy for the Arkansas Center for Health Improvement, an independent, nonpartisan health policy center in Little Rock. The opinions expressed are those of the author.