My therapist uses Zoom for her clients, as she was assured that the E2E would help her meet HIPAA requirements and protect her patients.
If someone can get a transcript of what was said, let alone record, in these therapy sessions, they'd have a goldmine to blackmail from.
Please note, this has legal significance for her and other doctors, who'd started seeing patients over Zoom. So it's not just an abstract, "lulz security"
There are people out there with different threat models from you. Please refrain from talking about use cases you may not understand.
Encryption between the last HIPAA covered entity (including business associates) on one end and the first covered entity (including BAs) on the other (or between covered entity on one end and patient on the other) is effectively a requirement of HIPAA in communications between HIPAA covered entities of PHI, since anything else would constitute an unauthorized intentional disclosure of PHI to the third party intermediary (which is a crime, as well as triggering civil liability), and even a third party gaining access to unencrypted PHI without an intentional disclosure is a breach of unsecured PHI triggering mandatory reporting requirements under the HITECH Act.
Does that mean whenever medical information is sent via phone or Fax, HIPAA is being violated today?
Because plain old telephone service is not E2E and the phone company can eavesdrop on you quite easily (as can the government with a warrant, or a bad guy with a phone tap on your line...)
Not saying that e2e shouldn’t be used when practicable but a blanket assertion that e2e is required for HIPAA seems a little unbelievable to me when I’ve recently received COVID test results from providers via a cell phone call.
> Does that mean whenever medical information is sent via phone or Fax, HIPAA is being violated today?
Phone and fax are not considered “electronic” under HIPAA, so the rules, including the rule regarding encryption for exposed PHI to be considered secured vs. unsecured, specific to electronic communication don't apply. I think they may be explicitly given special treatment for some of the not-electronic-specific rules, too. They are well-known to be legacy loopholes to HIPAA privacy/security rules, which is one of the reasons fax held on so long in healthcare as a way of minimizing compliance costs.
You absolutely should not try to intuit what HIPAA requires for anything else by how fax and phone communication in healthcare operates.
Keep in mind that, while the current phone system is very much electronic, the phone system historically predates electronics. It is electric, but not inherently electronic.
Yes, this is a long way of saying e2e is not a hipaa requirement.
are you saying you have evidence of zoom retaining PHI and not safeguarding appropriately? because that would be a different conversation than everyone yelling because zoom said they were e2e and werent.
But HIPAA does (iirc) require not having arbitrary third-parties to communication. E2E prevents that, but if there wasn't E2E… fairly sure Zoom isn't meant to be a third-party to therapy sessions.
> by all means, show me all the concrete harm zoom has done.
“Oh, they built houses badly? Show me all the concrete harm that's done.” We might not know until the next (metaphorical) earthquake.
If someone can get a transcript of what was said, let alone record, in these therapy sessions, they'd have a goldmine to blackmail from.
Please note, this has legal significance for her and other doctors, who'd started seeing patients over Zoom. So it's not just an abstract, "lulz security"
There are people out there with different threat models from you. Please refrain from talking about use cases you may not understand.