CHRIS: The final exception applies “if the covered entity or business associate has made a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.” (What are business associates? Find out at that link). Now, this is sort of like the big catch-all. I mean, think about this. This is really a lot of what you see with some of the new guidance that came out on telehealth.
RON: So it was interesting, because you just mentioned this, I think in a previous video. I remember you saying something like the OCR just put out a new ruling that with telehealth, the iPhone FaceTime and on the Android's Google Duo are now acceptable forms of telehealth platforms because they don't record the call. So it's okay for a doctor and a patient to be on FaceTime talking with a doctor and have a telehealth session. Because what it's saying here, the information that is going could not really be retained because it's not being recorded.
So with Duo and FaceTime, they're typically not recorded. There's no issue or no ability to go in there and easily record that, they don't record by default, and it doesn't store that data. So there's really not going to be a persistent breach of that data. It just allows the doctor to share the information with a covered entity and vice versa. But it's not going to be retained. Whereas with Zoom, I know I use Zoom on most of my demos every day, and we constantly record those and send the information and the demos to our clients, and the presumption that Zoom is going to record is there.
So if you use Zoom for telehealth sessions, then that could be in violation. So you would have to ensure that you're using a HIPAA-compliant app version of Zoom, not a regular version of Zoom. Otherwise you could be in violation of HIPAA.
So yeah, there's a lot of weird edge cases, and where this one is going to apply is not only inter-, it's intra-, when you're talking about the covered entities. For example, let's say I've got type-2 diabetes and I'm talking to my doctor in his office about my care. Well, that's one thing, and that's easy to control that within an office, right? So it'd be between me, my doctor, maybe the PA, maybe a nurse, maybe whoever is taking my blood.
But then all of a sudden, if he says, “I need to refer you to a hematologist and specialist,” now all of a sudden we're bringing in another entity. So if my doctor calls that entity to have a conversation with them, he's on the phone with someone telling them about my care. And it ends up being someone at that office that isn't supposed to have access to that data, but they took the call because the doctor was out of the office...that's where one of these breaches can happen.
That was the second exception there, where it's an inadvertent disclosure of information to someone who they thought should have authority access but didn't. So the doctor may not be held accountable, because it may fall under that second exception when they were like, “Hey, I called to share information as a referral for my patient and I asked you if you can take that information and you said, ‘yes,’” the implication was that you're authorized to take that information and you were not.
That would be under the second exception here. So it's definitely a gray area, and I would assume that that's where some of those breaches are. You were just talking about Zoom a minute ago. Do you want to extend any more information? I think I covered it briefly, but was there anything else about or any of the telehealth sessions that you wanted to finish out?
CHRIS: Well, I think it's a nice analogy to ePHI data in general. A lot of times the data is going to be on a database or physically on a web server, or maybe even on mobile devices because of a mobile app. And some of the data ends up getting stored because of caching or development practices. And you really want to think about this because, by definition of breach, they're talking about in number one, basically the nature and extent of PHI and whether or not identifiers are there, and can somebody acquire or view that data, and did they or not?
We sort of get into that in some of the breach reporting. But did they or not review that? That becomes the question. But if it was possible, then there's sort of this assumption that has to be made that somebody could have taken that data and used it for a non-innocent use case, a non-good faith use case. Which, if you click on the breach reporting page and we go take a look at that and just go through some of these concepts, I think it would be great if you were just to go over the highlighted sections here, and just sort of outline what this is and how it works with how you're supposed to report breaches.