What does corporate use of consumer data have to do with therapy?
How do I make sense of how my personal data is being bought and sold in the world wide web marketplace?
What does all that have to do with counseling?
Phenix is about holistic health – working with you to address mental and emotional health while connecting that journey to your body and spirit. Every now and then, a “random” issue comes along that intersects with our work. For example, we posted last week on the approaching hurricane, not because we are weather experts but because we see the mental and emotional health dynamics associated with storms. Today’s post on data privacy may seem outside the scope of mental health content but hang with us…it does intersect and it does matter.
Our clients are aware that we use an electronic health record (EHR) platform called Simple Practice. Not only are health care providers strongly encouraged to use an EHR (required if they accept Medicare/Medicaid funds), but as a telehealth practice, an EHR is a basic necessity. One of the principles we have adhered to since founding is to utilize tools and solutions which honor the privacy protections of the Health Insurance Portability and Accountability Act (HIPAA). That said, HIPAA standards represent the minimum level of care. As therapists, we operate at a much higher ethical standard based on our role as stewards of our client’s information. Our clients trust us to protect their vulnerability as much as possible and we take that responsibility seriously. With those values, recent developments are causing concerns that we want to share with those who invest in their health through therapy (whether our client or not).
On August 2nd, our EHR provider released a new terms of service document which aggressively required signature within two weeks to retain access to all of our client care information. This was the first red flag to indicate that clearly, this company does not understand the legal access requirements for medical records. Most of us pay little attention any more to the terms of service agreements that we all “click the box” for nearly every day. We’ve all probably joked about possibly signing over our first born without knowing it…The thing is, terms of service are fairly standard for general tech companies but healthcare companies must operate very differently. Some clinicians were tipped off by the inappropriate presentation and started reading the new terms of service. Within days, a firestorm erupted with clinicians raising concerns in multiple online communities. The new terms claimed rights to user data which did not sensibly align with what should be needed just to provide the service we are paying for, and clinicians weren’t having it! This resulted in the company backpedaling slightly…extending the deadline for agreement and entering into the compliance review process they should have completed before setting up the terms. The easy answer would seem to be – just find a new provider. Unfortunately, the problem is bigger than this one company…
In the past decade, a quiet war has been unfolding in technology. Capitalists long ago discovered the profit in monetizing data. Most of the technology tools we use today are based on this practice of offering a ‘free’ service, (social media, email, web search, cloud storage, etc.) in exchange for access to data that can be aggregated and sold to the highest bidder. This purchased data allows businesses to target us with advertising and offers, personalized to what we are searching for/interested in. Investors have found more and more spaces and creative ways to entice us to hand over data they can monetize. About ten years ago, venture capitalists discovered the health care industry as an unmonetized space and started moving in. Technology companies started offering online therapy way before COVID made it popular knowing that it allowed them to set up systems which could collect valuable data. These companies were launched and run by investors with zero healthcare experience. The problem is, monetizing healthcare data is illegal, resulting in over 7 million dollars in fines against one of them, for example. For a company raking in over a billion dollars annually (2022) though, that fine is simply the price of doing business. So the quiet war behind the scenes wages as tech experts launch healthcare companies daily with nary a clinician in their leadership hierarchy, leaving them out of touch with the ethical rules clinicians must follow. Therapists and medical providers have been sounding the alarm for years but the millions of dollars these companies have available to control the narrative and pay the fines is almost impossible to beat. What that means is that it is extremely difficult to find the technology tools we need, set up with full understanding of healthcare ethics and even healthcare law.
Trust and transparency is the foundation of the therapeutic alliance. What our service providers do with our client data (even when it is ‘deidentified’) matters to us. We see our role of stewarding client data as a sacred trust. While it may seem hopeless to expect today’s environment of corporate greed to prioritize privacy over profit, we have a responsibility to keep fighting. What that looks like for us is participation in the collective pushback on our EHR provider to: practice the Safe Harbor Method in deidentifying data, legally commit to respecting the intellectual property rights of clinicians who customize EHR features, as well as to disclose the client portal access terms of service, how data is used for AI training, and what exact information is being sold to exactly what companies. Electronic Health Record software is not a free service. As a small practice, we pay over two thousand dollars a year, so imagine what more than 170,000 clinicians are paying (estimate of customer base for our current company)! Selling user data is not a necessary component of their profit strategy.
Additionally, we are taking the time to explore the alternatives. This is labor intensive and exhausting but necessary. We will look for tech companies run by clinicians, and who provide the ethical parameters our clients deserve. We have been strategic from the start in how we structured our processes. Our EHR happens to be a comprehensive practice management platform as well, capable of handling every technological need but we have never used it in that way. We use separate platforms for payment, messaging, video-meeting, etc. for two reasons: 1) We are not at the mercy of one platform if it shuts down for some reason, containing every tool we need to serve our clients and 2) Our client’s information can never be accessed in one complete package. While the companies who serve the healthcare industry have the greatest access to tech tools of confidentiality, perfection does not exist in this world and so we have structured things accordingly even before this latest concern. Moving forward, we will keep you updated every step of the way so that you have clarity about how your records are stored, accessed and managed.