Question: Is my online telehealth visit private and secure?
Answer:
Yes!
Your visit with your online psychiatrist or therapist is secure. Every visit, including in-person visits, likely use some electronic means of storing your data (rather than a paper chart), therefore data security is no different for in person visits as it is for online visits.
The platform that we use is Zoom, one of the industry leading providers for secure, efficient video conferencing. There are numerous companies that provide video conferencing software, and their minimum security requirements are regulated by HIPAA.
What are the minimum HIPAA requirements?
Any data that is stored or transferred must be encrypted: video, audio, email. Video conferencing software includes encryption. Industry standard is AES 256-bit encryption which exceeds HIPAA requirement (128-bit). There are different types of encryption: FIPS, ISDN, AES, VPN. They must offer a BAA: contract between two parties, to uphold their responsibilities of protecting the data that they say they will protect. This satisfies HIPAA regulations and creates liability between the parties.
What other areas of vulnerability are there for data breaches? Not surprisingly, data transmission is only one area of vulnerability for data loss. In fact, there is also a high likelihood of loss due to human error. According to the 2018 Cost of a Data Breach Study, around 25 percent of all U.S. data breaches were recognized as carelessness or user error. The study stated that users consistently failed to properly erase data from devices. The study also reveals that negligent breaches are about half as frequent as criminal breaches. This is why internal risk assessments is crucial.
What security features does Zoom use for telehealth / virtual psychiatric visits?
According to their security white paper:
“Zoom E2E chat encryption allows for a secured communication where only the intended recipient can read the secured message. Zoom uses public and private key to encrypt the chat session with Advanced Encryption Standard (AES-256). Communications are established using 256-bit TLS encryption and all shared content is encrypted using AES-256 encryption. Session keys are generated with a device-unique hardware ID to avoid data being read from other devices. This ensures that the session can not be eavesdropped on or tampered with.”