The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
Washington, D.C. (April 1, 2020): HHS Announced today that your Brain is not HIPAA-compliant
Is your brain HIPAA-compliant? Today HHS issued a new NPRM indicating that they believe that no, the human brain is not in compliance with HIPAA. Healthcare professionals and other interested parties have until the end of the day to make public comments on this emergency proposed rule that finds that the brain is not HIPAA-compliant.
Since HIPAA we’ve seen a proliferation of services and devices advertising themselves as “HIPAA-compliant.” There have also been plenty of arguments about whether specific tools like Skype (and now Zoom) are “HIPAA-compliant.” The reality is though that an electronic tool could be designed in a secure fashion but our dumb brain would then use it in a way that really isn’t secure (such as on our laptops in public view while on an open WiFi network in a busy Starbucks). Yes, there are technology standards that must be met, but it isn’t just the tool that leads to HIPAA-compliance, it is the way we use the tool (…and check out this old blog post from Psychology.news if you’re confused as to why routinely logging in to public WiFi can lead to bad news). However, this news story today isn’t about the way we use tools like our brain, it is about whether our brain itself can be relied upon to not leak healthcare information. We now know that our brain is full of electrical activity; how much of that electrical activity may leak from outside our heads and be intercepted by perpetrators of identity theft, state sponsored hackers or corporations bent on tailoring advertising or possibly even manipulating our brain waves to make a sale or get a vote? Perhaps this is science-fiction or a bioethics debate that is fifty years ahead of its time; but technology moves fast. Remember when health care ubiquitously used pagers that weren’t secure?
That’s right. In health care people were using pagers that could transmit alphanumeric characters that often included personally identifiable information (pii) about patients. Professionals (who aren’t tech experts) mistakenly thought that the messages they sent and were sent to them could only be read by them or the person they sent the message to. The reality is unencrypted pager messages using mobile networks are blasted out like a radio station; anyone with enough initiative could set up an antenna and read your pager messages. Anyone can accomplish this with a minimal investment of money and a bit of time spent on Google or YouTube. For example, here is a YouTube search for “pager sniffing.” Yes, we should not be using unsecured pagers in a way that makes it not HIPAA-compliant (i.e. no patient names or diagnoses). Otherwise, something like this article could happen: IT Worker Uncovers Hospital Pagers with Poor PHI Data Security. “Using an antenna he purchased to receive TV channels on his laptop, the worker was able to pick up unencrypted pager data… The unencrypted PHI includes patient name, doctor’s name, level of care, and diagnosis.” Or how about this one from just this past September 2019: Unsecure Pagers in Vancouver Expose Sensitive Patient Data: What This Means for Enterprises. We know that pagers are radiating out and leaking information to potential bad guys; there are alternative products on the market we can invest in and/or we can stop using them in a HIPAA-noncompliant fashion. We know that no electronic device or software is perfect. Your cell phone says “wassup” to every cell tower nearby letting them know where you’ve been even if your GPS/ location services are turned off. With the application of an electromagnetic field, your RFID credit cards will scream out your personal information. We send text messages, use WiFi, and I don’t want to live in a world without AI. These all have vulnerabilities though. We’ve beaten up on Skype and I wonder if this has contributed to Skype for Business being replaced by Microsoft for Teams (though platforms like Slack probably have more to do with that). While we talk smack about Skype not being “HIPAA-compliant;” perhaps it could be compliant in some forms or contexts. For example, the Social Security Administration uses Skype for Business within it’s locked-down system. It isn’t always just the tool, it is whether you’re using the tool in a HIPAA-compliant fashion. That could be more or less difficult for some tools. One of the hardest tools to keep HIPAA-compliant will soon become your brain. What if your brain was leaking out information too via radio waves? These radio waves could be intercepted by someone with the right antenna. Wouldn’t it be a lot harder to mitigate any risks if it was your brain itself that was leaking the electronic health information? It won’t be long before the FCC starts regulating the radio frequency spectrum that our brains operate on. What are your thoughts on the government regulating the frequencies your brain operates on? Should the FCC be able to regulate brain waves (and if so can they fine you for broadcasting obscene thoughts?)
First of all, I agree with the scoff you just gave me. I’m even surprised you’re still reading this blog post. The metaphor that your brain is a radio has been applied in very flawed ways in the past. We don’t receive our consciousness through signals being broadcast from some alien satellite in heaven. We don’t need tinfoil hats to block mind-control satellites (at least not yet). However, maybe individuals with psychosis who experience concerns about thought broadcasting aren’t that wrong; maybe there are ways of hearing your thoughts. Whether or not the brain is a transceiver or receiver of signals, it may quite possibly be a transmitter of signals. In that sense the brain could be a radio station leaking out information wherever we go (whether or not we’re in a crowded Starbucks). With the right antenna people could, in fact, hear your thoughts and therefore steal your patient data. Yes, your brain waves are broadcast at a low power. However, some low power frequencies can be heard on the other side of the world. Low power (QRP) signals on some frequencies can bounce around the world, allowing things like Morse code and shortwave radio to be heard with only minimal power used. Clearly, dear reader, your agitation is because you obtained a psychology degree and never obtained the necessary basic science background to realize what is possible. Let me give you some recommended reading to help you realize that your brain is leaking signals right now:
First of all, the MIT school of Engineering Answers the question: Can brain waves interfere with radio waves? It is interesting. For example, did you know that your brain waves are a form of electromagnetic radiation and that they travel at the speed of light? MIT has already developed a special hat for measuring them; “the MEG scanner consists of a helmet that contains 306 sensors spaced uniformly across its surface. These “superconducting quantum interference detectors” (SQUID) are cooled to near absolute zero, which makes them superconductive and, according to Pantazis, “able to measure even the slightest magnetic signals from the brain.” I assure you someone at MIT is taking the idea of reading your mind seriously and diligently working on that trillion-dollar idea. I’m also not even considering things like Elon Musk creating cyborgs with Neuralink. Yes, tools like this as well as EEG, qEEG and brain wave mapping, are relative infants compared to our science fiction. However, one thing is quite clear from emerging brain science data and our latest advances in neuroscience: in the future, if we’re to be fully HIPAA-compliant, we must stop using our brains entirely. Alternatively, to mitigate the risk and ensure your brain becomes HIPPA-compliant, HHS has released this instructional video on their YouTube channel.
This tool, using the latest advances in brain-based neuroscience, will help keep you HIPAA-compliant. As an added bonus it will also protect your brain from an EMP. Also, if you wear this on a Skype call you’ll be fine and that Skype call will become HIPAA-compliant. If you don’t use this tool please be careful- your brain is liable to be responsible for most HIPAA-compliance issues when it comes to technology.
Here are a few more April 1 posts from past years that you can also read:
- T-Minus 6 Months ’til the APA Practice Organization Self-Destructs (2018)
- ASPPB Partners with Amazon to Disrupt Mental Health with EPPP Step 2 (2017)
- American Psychological Association to end use of APA Style by 2020 (2016)
Visit me at: Todd Finnerty, Psy.D.
P.S. Like Zoom? Perhaps you’ve heard the recent stink about the NY Attorney General recently inquiring in to Zoom’s privacy practices or you’d like to read a blog post like this one: ZOOM MEETINGS AREN’T END-TO-END ENCRYPTED, DESPITE MISLEADING MARKETING
P.P.S. Everyone seems to be passing around telepsychology/ telehealth resources lately so I won’t try to duplicate that too much and don’t have platform suggestions. If you want to numb your mind with some APA Guidelines for the Practice of Telepsychology there is that. You can also monitor the relative progress of PSYPACT (or lack thereof despite the urgency around COVID-19) by going here. And here is a telehealth resource page from the National Academy of Neuropsychology.