Don't Rely on Zoom to be HIPAA-compliant

Or any other videoconferencing platform for that matter. Only YOU can be HIPAA compliant!

With the majority of private practice mental health therapists moving to telehealth in response to the various Stay-At-Home orders, it seems appropriate to make a few points HIPAA-compliance and ethics as it relates to selecting and utilizing a telehealth platform. Among the platforms seeing significant uptick in use is Zoom.us. Unfortunately, over the last few days Zoom is the subject of a media firestorm over ZoombombingZoom's infrastructure and default app settings has made it possible for hackers to drop in on Zoom meetings uninvited and do anything from simply listen in to sharing graphic material to all of the participants. 

As it relates to therapists, I've seen a lot of chatter and questions on various online forums that go something like, "But, if we sign a BAA (i.e. a business associate agreement) then we're covered, right?" or "This is why I use a Google's G-Suite."

There are a couple of important things to understand here.

Frist, if Zoom (or any other provider with whom you have an active BAA) acts in a way that is outside of what was expected from a HIPAA-compliance perspective, then, in all likelihood, any liability will be with them. However, signing a BAA does not release us as therapists from also acting in both a HIPAA-compliant and ethical way.

Let's take, for example, my personal platform of choice, Google's G-Suite. As G-Suite customer, you have the option of executing a BAA with Google that covers a wide range of their services. This means that you can use Google Meet to hold HIPAA-compliant therapy sessions and share HIPAA-protected PHI (i.e. protected health information) via the chat feature. It means that you can create and store documents in Google Drive that contain a host of PHI. You can store and transmit any PHI you want within Google's covered services and, if Google acts in a way that exposes this PHI, the liability is most likely with them.

But, this does not in any way release us as therapists of our own responsibilities. Sticking with G-Suite, when we execute their BAA, they are very clear that the BAA is effective inasmuch as we, the cosigner of the BAA, follow various steps in their HIPAA implementation guide to lock down our G-Suite to ensure HIPAA compliance. If we use a service like Google Drive File Stream to synchronize our Google Drive files to our laptop but don't have our laptop's hard-drive encypted and protected with a strong password, that liability doesn't fall under the provisions of our BAA. Our own HIPAA compliance often means opting-in to settings that make life less-convenient for us (e.g. a strong password on our phones and tablets rather than a four-digit code) in order to increase privacy and security of our clients.

Zoom has reportedly updated their software with fixes for the Zoombombing problem. That is their duty. Making sure that we are using the current release of the software and following any guidance that Zoom provides in terms of changing settings and other aspects of the program to prevent Zoombombing - that's our duty.

Secondly, what about ethics? There are more than just legal considerations to think about. If we learn – or even suspect – that a system that we are using is subject to insecurities like Zoombombing, what do we do? What is the appropriate course of action to take with our clients? Even though we are subject to somewhat different ethical codes, it strikes me that having conversations with our clients about the risks and offering alternatives would be a great option. It may be that switching to a different platform until there is certainty about the security of Zoom might also be the right ethical choice. Ultimately, those are decisions that we each have to make independendtly. If we have a technical support person or company, it might be a good idea to have them sit with us (virtually, of course) and ensure that our system is configured correctly and that we understand the programs that we are using well enough to ensure that we are doing all we can.

When we sign a BAA, it is important not to become complacent and assume that everything we do is covered. It is possible for us as therapists to use a HIPAA-compliant technology in insecure, HIPAA-noncompliant ways. It's possible for us to use HIPAA-compliant technology in unethical ways. 

Only you can ensure that you're being HIPAA-compliant!

I'm not a HIPAA lawyer – I'm a therapist with a long background in technology. During this time of uncertaintly, I am offering free consultation (via Google Meet) about how you can make sure that you're transitioning to telehealth platforms well and continuing to provide the best quality service to your clients. Contact me if you're interested in talking more about how I can help.