HIPAA, privacy, and the future of healthcare communications solutions
The recent calls at Davos for global oversight of Tech companies; General Data Protection Regulations (GDPR) in the EU; Facebook’s cascading privacy blunders and the resulting FTC investigation; Google’s violation of Apple policy, potential move into China, and its Anti-Trust suit in Europe.
All these recent events signal a belated and rapid turn to greater privacy protection and regulation in technology worldwide. At the same time, tech companies are seeking ways to expand and differentiate themselves in the global market, largely by continuing to expand their hold on user data or expand into new data markets.
All of this should be concerning to Healthcare, which depends the Tech industry as a business and technology partner. As the Healthcare industry increases its dependence on patient data, data technology is advancing faster than policy makers can regulate it. This creates a familiar pattern, following in Facebook’s footsteps, granting responsibility for the proper handling of user and patient data to those that stand to profit from it.
Facebook (and Google), in many ways, perfected the race to grow business before policy could catch up to regulate it. In some extraordinary cases, this race adds pressure on businesses to overextend themselves.
Some recent examples demonstrate the growing dependence on patient data and trends that mirror Tech:
- Pharma and Healthcare are investing heavily in data and looking for companies with wide patient consent or innovative data technology - see data companies like K Health, Hu-manity.co, Prognos and Tempus that use a combination of patient data and AI to offer health services to consumers and businesses;
- The SEC charged Theranos, a health tech and data company, for committing large-scale corporate fraud in early 2018;
- The medical and science community is now considering how to prevent, what The New York Times calls, “Rogue Gene Editing of Human Embryos.”
These diverse examples highlight the susceptibility of Healthcare to make similar mistakes to those that we are seeing with Tech. To protect itself, the Healthcare industry needs to proceed with lessons from Tech’s past (and present) and force greater responsibility onto technology partners.
At a crossroads: Communications technologies in Healthcare
Privacy challenges grow and become even more complex as the trend toward digital technology in Healthcare ramps up in the effort to serve a massively mobile and on-demand consumer market, characterized by convenience and personalization. With a total addressable market of $3.5 trillion (quoted in Slack's news that is preparing for HIPAA), the highly regulated Healthcare industry exerts mounting pressure on the Tech industry to create solutions its pressing issues - whether in Telehealth, Health Communities, Mobile Health, Patient Engagement tools, or other Cloud Services.
Communication in particular is becoming crucial to better care. Empirical studies show how conversation, especially with characteristics like empathetic listening and responsive interaction, lead to better patient interventions (see here). Combine this research with the omnipresence of mobile devices and the fact that popular messenger apps boast 5.8 billion monthly active users (MAU), or 76% of the world population, and one begins to see why Healthcare companies are trending toward on-demand, mobile, or conversational health.
At the center of many of these services are Communication Platforms as a Service (CPaaS), companies offering communications solutions like chat, messaging, voice, video, SMS, and e-mail to existing healthcare apps so healthcare providers and companies can communicate with and engage patients directly. For example, MyTelemedicine, TelaDoc, Doctor On Demand all provide on-demand healthcare through mobile phones. Better Help and Sibly provide mental health counseling over in-app messaging. Embleema recently launched a HIPAA compliant blockchain healthcare network. HealthCrowd is an end-to-end patient engagement and communication platform.
All these companies bring healthcare more intimately into the fold of digital technology and so depend, even more so, on digital communication to succeed. For example, if you can’t meet with a doctor in-person to discuss a particular symptom, communication tools can become even more valuable than a traditional doctor’s visit.
The HIPAA challenge
The challenge for this trend, like the challenge for Tech at large, remains protecting and keeping private the personal health data transmitted to and from patients, third-parties, and health care providers. Precisely because Health and Human Services (HHS) feared the degraded security of protected health information (PHI) by digital technology they updated HIPAA with HITECH.
Since HIPAA was technology agnostic, it left many uncertainties as to how to protect protected health information as digital technology advanced rapidly in the 00s and 10s. So HHS combined HITECH with HIPAA in 2013 to give guidance and ensure standards for protecting PHI and ePHI.
Crucial to third-party communications solutions, it also made “Business Associates” - anyone receiving PHI - directly accountable for HIPAA violations, requiring them to create physical, technical, administrative and organizational frameworks for protecting PHI. Under HIPAA and HITECH, both “covered entities” and “business associates” share responsibility for protecting PHI and both enter into a “business associates agreement” (BAA) to commit legally to that responsibility.
To serve the Healthcare market, then, communications platforms must be willing to take on at least partial responsibility for the protection of user and patient data.
The path forward: "The Buck Stops Here"
This increases the stakes considerably for CPaaS, if they want to participate in the massive Healthcare market. Most communications platforms do, so they’ve found two ways forward:
Some companies try to avoid liability for protecting PHI by excluding themselves from the definition of a Business Associate, as it is defined by HITECH, and thereby place sole responsibility on their clients. These companies tend to do both end-to-end encryption of communications and prohibit the storage of them on their cloud. Basically, they neither look at nor store any PHI. This is effectively HIPAA compliant, but these companies will not sign BAAs.
Or they can take the tougher route, following HIPAA and HITECH Privacy Rules, and sign the BAA. By signing a BAA, these companies signal that they're confident enough to sign an agreement that PHI and ePHI will be protected in their service. A third-party solution provider will do this only when it knows it can protect PHI according to HIPAA.
Interestingly, these strategies often reflect recent divisions in CPaaS between Telephony services (Twilio, Nexmo) and services using Internet Protocol (IP), like SendBird or Layer. Since the technology behind CPaaS tends to be either cellular networks or over-the-top (OTT) using Internet Protocol (IP), the strategies of individual companies depend largely on the technology used. For example, SMS is not encrypted, whereas a message sent with IP may or may not be encrypted.
Some Telephony companies will offer end-to-end encryption, often through a third-party. But, while companies offering end-to-end encryption without signing a BAA may technically be HIPAA compliant, they also unnecessarily force their Healthcare clients to assume all the risk.
As a result, Telephony is falling behind the technology curve, relying on difficult to protect carrier networks, whereas IP communications solutions are seeking to comply with more security and privacy standards to assure the Healthcare and other industries that better communication will enhance patient care without degrading privacy.
As this trend continues, Healthcare needs to put greater pressure on CPaaS companies to demonstrate their security standards and, therefore, to assume some risk as business associates under HIPAA and HITECH. Similarly, communication platforms must understand that claiming HIPAA compliance without a BAA is now an empty promise.
The heading of this section references one of SendBird's core values: the Buck Stops Here. It's well exemplified by a quote from Hamaguchi Takanori in a book I originally read in Korean, roughly translated in English to "The Job of the CEO":
"Even the falling snow is my responsibility."
It's a quote about understanding how our actions and words affect the environment and have effects beyond the small portion of the ecosystem that's only immediately apparent to us. It asks us to approach the world as though we could be the root cause for every effect in the world. It's also more simply about not blaming the environment.
In addition to achieving HIPAA compliance I am proud to say we've also passed our SOC2 examination. So, rather than taking advantage of an insufficient ecosystem of privacy in technology or point to a lack of regulation or policy, the buck stops here: SendBird is actively pursuing greater responsibility in privacy and security.
***This article was originally published at Becker's Hospital Review on Feb. 5th, 2019. We have made a few changes to the article.
John is the CEO of SendBird.