Rates of emotional distress are surging amid a deepening economic recession, a reckoning with state violence against the Black community, and the COVID-19 pandemic. The closures and restrictions necessary to mitigate the coronavirus’ spread have also massively disrupted in-person, outpatient mental health care at a time when an unprecedented number of people need support. To preserve people’s access to care during the public health emergency, telehealth availability has been rapidly scaled up and regulatory barriers temporarily removed. But increased emergency use of telehealth services and platforms must not occur at the expense of user privacy nor can inequitable access to such services remain unaddressed. Policymakers and regulators must increase coverage and access to telehealth and the technology required for its effective use, while ensuring patient privacy protections.
Telehealth has not been accessible
Even before to the coronavirus pandemic, the mental health system was fragmented, unaffordable, and inaccessible for many. Despite robust evidence that telehealth is effective for treating mental illnesses, telehealth policy was, and largely continues to be, a patchwork of regulations that vary by state and insurance type. Only five states had permanent laws that mandate parity for payment and coverage for telehealth services in place before the pandemic. It’s clear that telehealth is useful in in times of social distancing: In April 2020, weekly telehealth use among Medicare beneficiaries increased 13,000 percent compared to uptake prior to the pandemic. The federal government has temporarily relaxed several restrictions that typically limit access to telehealth, including allowing Medicare beneficiaries to receive care by live video from their homes during the public health emergency and expanding the types of providers that can offer telehealth services. The Centers for Medicare and Medicaid Services made a recent move to expand telehealth access for Medicare beneficiaries in rural areas, but not all communities have equal access to telehealth.
Not all web platforms meet accessibility requirements for individuals with disabilities. People with physical, sensory, or intellectual disabilities may also have a mental health disability. In fact, mental illness is more prevalent among those who have an existing disability diagnosis. A person’s mental health needs do not erase or supersede their other accessibility needs. These may include contrast controls, captioning, screen reader compatibility, among others. The rapid uptake of telemental health must take accessibility into account.
Many people who previously struggled to receive in-person care due to geographic inaccessibility, disability, or provider availability have benefited from expanded telehealth options. However, racial and socioeconomic inequities in broadband access, digital literacy, and cellular coverage limit access for the very communities most affected by COVID-19. In a 2019 survey, nearly one-third of households in the United States lacked a broadband connection, often due to the high cost of service. Trump-appointed Federal Communications Commission (FCC) Chairman Ajit Pai has rolled back Lifeline, the federal program which provides subsidies to qualifying low-income families to receive a phone and/or broadband access, resulting in a 40 percent reduction in enrollment. As the pandemic pushes health care and other life-sustaining services online, inequitable access to reliable internet connectivity could be lethal.
Expanded telemental health cannot be at the expense of privacy
As part of its push to increase the use of telehealth services, the U.S. Department of Health and Human Services (HHS) has indicated it will waive penalties for the use of software that does not comply with the Health Insurance Portability and Accountability Act (HIPAA)—which protects patient privacy and health information—for the duration of the public health emergency. However, the relaxed HIPAA enforcement and looser privacy regulations could have long-lasting consequences for patients and their health data.
Many patients are contacting their providers on telehealth platforms that do not meet HIPAA standards, leaving them vulnerable to privacy intrusions without HIPAA requirements for privacy and security. In addition, HIPAA regulations do not sufficiently protect patient privacy in the digital health sphere. HIPAA only covers certain entities, and information managed or created by patients is not protected. Even more alarming, major telehealth platforms that are HIPAA compliant can still exploit and profit from users’ sensitive information.
Virtual health companies subject to HIPAA cannot legally disclose personally identifying health information, but they can collect or share the metadata surrounding it. Much can be extrapolated about one’s health status simply by tracking what a person likes or searches, who they contact, and when they access a service, even if their actual diagnoses and medical records remain private. This data collection occurs without users’ affirmative consent and undermines their ability to access support anonymously. For example, the telehealth platform Amwell, which is bound by HIPAA, states in its privacy policy that it may collect information from third-party services that its users access, such as Facebook, Google, and Twitter. As Amwell’s privacy policy shows, HIPAA does not sufficiently safeguard users’ privacy and can even use sell data like search terms or pages viewed on and off the platform to target ads to users or steer users to particular search results. Because more people are using telehealth than ever before, these data sets become especially valuable.
The pandemic has also prompted more people to turn to mobile applications for mental health support. However, such applications are not typically subject to HIPAA, and data collected is often stored, sold, and/or used for targeted advertising without the user’s knowledge. Alarmingly, this datamining includes major teletherapy mobile apps that connect users directly with licensed practitioners, such as Better Help and TalkSpace. A recent investigative report by Jezebel found that both teletherapy apps collected and shared sensitive metadata with third-party vendors for targeted advertising. While patients’ personally identifying information is not directly shared, metadata—which exposes when, where, and how often someone receives therapy through the app—is. In fact, Facebook was identified as one of the companies that received and stored data tracking each time the teletherapy apps were opened by a user. Facebook has a track record of privacy violations, including leveraging user data to identify and target advertisements to emotionally vulnerable young people. These privacy intrusions occur due to the absence of a regulatory framework addressing this intersection of consumer advertising practices and mental healthcare.
In a 2019 study of commercial mobile applications focused on depression management and smoking cessation, nearly half of these applications failed to properly disclose sharing this sensitive data with third-party entities such as Google and Facebook. In addition to these privacy concerns, many applications make treatment claims, despite no evidence for the efficacy of their offerings and harmful information. For example, of the top 69 depression and suicide prevention mobile apps, only 7 percent incorporated all six evidence-based practices for preventing suicide. The accelerating shift to web-based mental health support—coupled with relaxed enforcement and deregulation—can render marginalized groups vulnerable to exploitation and the mining of their personal health data.
Recommendations
To address telemental health privacy and access concerns, policymakers must reimburse providers at fair rates, improve access to broadband and cellular coverage, and ensure privacy and accessibility for telemental health users.
Fair and innovative payments for providers
Since the start of the pandemic, the Centers for Medicare and Medicaid Services (CMS) has added more than 80 new telehealth services that qualify for Medicare reimbursement and has allowed providers to temporarily bill telehealth services at the same rate as in-person services. However, Medicaid and private insurance coverage and payment for telehealth widely varies. Medicaid programs and private insurers should also boost payments for telehealth services to allow people who need or want to avoid in-person interactions to access these critical mental health services. Payment increases for telehealth services should also remain in place, even after the current public health emergency declaration ends. While most don’t explicitly address parity, 37 states have laws that govern private insurers’ coverage and reimbursement of telehealth services. They should use these frameworks to ensure fair telehealth rates and access for people who may be vulnerable to the coronavirus or live in communities with a shortage of in-person providers.
Policymakers should also consider innovating alternative payment models (APMs) to promote efficient and high quality telemental health. APMs could bypass cumbersome fee-for-service coding for telehealth services to lessen the administrative burden faced by many mental health providers and encourage uptake of quality, patient-centered care. While data is limited on clinical mental health outcomes, there is promising evidence that APMs improve process-of-care measures, which are often related to clinical outcomes. Policymakers should use the National Quality Forum’s telehealth framework that measures the value of a telehealth service, assessing factors such as patient empowerment, cost effectiveness, and accessibility.
Improve access to broadband and cellular coverage
Additionally, the FCC’s Keep Americans Connected pledge—which temporarily asked broadband and telephone service providers to expand access, waive late fees, and offer access to Wi-Fi hotspots—was a critical first step in ensuring broadband connectivity is not disrupted during the pandemic. However, the FCC must do more to expand the Lifeline program and bridge the digital divide, as the pandemic’s health and economic impacts continue to worsen. In the short term, the FCC should permanently streamline eligibility criteria for Lifeline through the National Eligibility Verifier program, which is intended to allow Lifeline providers to quickly determine eligibility by reviewing a database of other government assistance programs, so that people who qualify for other forms of public assistance are not unnecessarily subject to cumbersome review or wrongly determined ineligible. The FCC should also create an emergency Lifeline broadband benefit to fill in the coverage gaps for low-income families; provide unlimited free minutes and text for enrollees; and prohibit disconnections for Lifeline customers during the crisis and for at least three months afterward.
Ensure privacy and accessibility for patients using telehealth and web-based supports
While measures taken to expand access to telehealth and web-based supports are crucial during this pandemic, they cannot be done at the expense of service users’ privacy. The HHS Office of Civil Rights must resume robust enforcement of its patient privacy and security requirements that it relaxed during the pandemic. Specifically, it must return to mandating end-to-end encryption and password protection within telemental health contexts to ensure that sensitive health data is better protected and provide an added layer of user verification. Critically, most conferencing platforms currently being used for telemental health already have these features built in. The HHS Office of Civil Rights and CMS must also regulate the web accessibility of these platforms to ensure they meet access requirements for use by people with disabilities.
Mental wellness applications are already poorly regulated, and the Food and Drug Administration (FDA) has announced that it is further relaxing the vetting process for prescription mental health apps that it regulates as medical devices during the pandemic. Currently, the FDA typically only regulates premarket certifications and approvals for apps that are regulated as medical devices and prescribed. The Federal Trade Commission (FTC) is responsible for investigating false product claims app developers might make. The FTC must fully enforce the FTC Act to rigorously investigate mental health apps that make false claims about the services they provide or otherwise engage in deceptive practices that undermine privacy and security.
Legislative action is also needed to better protect user privacy. Congress must address the unique privacy concerns that emerge at the nexus of health care and consumer practices. Personally identifiable health information should be protected by an expanded HIPAA framework, irrespective of the entity producing, managing, or storing that information. Legislation should require health applications and virtual health platforms to disclose their data and metadata collection, storage, and sharing practices in addition to requiring users’ affirmative express consent before such collection can occur.
Conclusion
The coronavirus pandemic has triggered an unprecedented surge in the use of telemental health services. While it will take time for regulations to catch up to increased emergency use of telehealth services, lawmakers must act swiftly to redress inequities in access and coverage while bolstering patient data privacy protections.
Nicole Rapfogel is a research assistant for Health Policy at the Center for American Progress. Azza Altiraifi was a research and advocacy manager for the Disability Justice Initiative at the Center.
To find the latest CAP resources on the coronavirus, visit our coronavirus resource page.