Telehealth overpromises during the Covid-19 pandemic

“No more germy waiting rooms.” That’s the pitch from telehealth companies as we face the unknowns of Covid-19.

We haven’t yet figured out how to stop the spread of SAR-CoV-2, the virus that causes the disease, but telehealth services are promising to keep us safe by keeping us out of doctors’ offices and emergency departments.

Video “visits” through computers, tablets, and smartphones, also known as telemedicine or virtual health care, are being promoted by hospitals, health systems, Vice President Mike Pence, and even the Centers for Disease Control and Prevention as a solution for meeting patients’ needs during the pandemic. Since a telehealth visit is generally done from the patient’s home, there’s no risk of being exposed to the coronavirus or other pathogen, it is available anytime, and because some of the work can be done by chatbots and automated algorithms, it can handle more patients than in-person care.

As a stopgap measure to triage patients while there is limited access to coronavirus testing, telehealth may be able to provide some much-needed reassurance that things are under control.

But with the absence of a physical exam and the absence of testing, all that telehealth can really offer patients right now is increased surveillance and an illusion of care that poses new risks for our future health and well-being, as well as the loss of privacy.

Congress passed an emergency spending bill dedicating $8.3 billion to fighting Covid-19, including $500 million for telehealth services. And while most of the stock market is tanking, the stock of virtual health company Teladoc is rising, alongside the video conferencing platform Zoom and a handful of other virtual service providers.

But there’s a big difference between working from home using virtual meetings and getting health care from home using virtual health, with the provider across town or across the country.

That means that anything requiring a physical exam that cannot be accomplished by visual inspection through a smartphone camera or a patient’s own self-exam can’t be done through telehealth. Noses and throats can’t be swabbed to detect harmful microbes. Advanced imaging can’t be done. In other words, coronavirus can’t be conclusively identified or ruled out. And while some prescriptions can be written, drugs can’t be delivered or administered through the video screen.

A telehealth clinician can ask the same screening questions that can be asked over the phone and, based on the answers, either soothe the patient’s fears and urge him or her to sit tight at home, or to call ahead to a health care provider and say they have been tentatively diagnosed with Covid-19 and need to come in for a coronavirus test.

The biggest benefit of telehealth may be preventing people who have been exposed to the coronavirus from leaving their homes and spreading it to a physician’s practice or an entire emergency department, putting patients at risk and potentially putting health care workers out of commission for 14 days of quarantine.

But anyone who listens to the CDC’s public health messages already knows to call ahead to their doctor if they have worrisome symptoms.

Screening and testing individuals who might be infected with SAR-CoV-2 is an essential public health task that our health care system is notably underperforming on. Someone needs to fill that role, but I don’t see telemedicine companies as the right ones to do it.

And this is where less benevolent forms of surveillance come into play.

Teladoc’s CEO Jason Gorevic has publicized his collaboration with the CDC to provide near real-time disease tracking from the 130 countries around the world where the company delivers care. This kind of digital disease surveillance is an essential component of public health work in times in calm and times of crisis. Everyone benefits from knowing how many cases of infectious disease there are and where they are located.

Amwell (formerly American Well) has launched a national coronavirus telehealth response program, urging patients and health care providers to see telehealth as a “first line of response” against the pandemic. Amwell cites the CDC’s own guidance to first responders, health care providers, and health systems to use virtual care as a “force multiplier” in the public health response to the outbreak.

To be sure, we need more public health resources to head off this outbreak. We needed them back in December, when the writing was on the wall, and we will still need them when this outbreak is over for the millions of Americans who lack access to basic health services. We also need disease surveillance on a global scale. If accurate data about this emerging outbreak had been available from the start, and the public health system had been equipped to begin preparing for it three months ago, we might be looking at a less-alarming situation today.

But when for-profit telehealth companies are our first line of defense, and we agree to let them function as a health-screening service before we can access direct patient care, we give up a lot of data for uses that may not actually benefit us. Virtual health companies like Teladoc and Amwell are required to follow privacy rules laid out in the Health Insurance Portability and Accountability Act (HIPAA) when it comes to protected health information like patient names, addresses, dates, diagnoses, and more. Yet telehealth companies, like other technology companies moving into the health care sector, can technically guard patients’ protected health information while still profiting from their data.

As we have seen with Facebook’s approach to handling sensitive data in patient groups on its site, a company can easily say it won’t sell or share personal health information while still exploiting users’ data by tracking where they go — both on and off the site — what they “like,” and where they click, then mining the resulting datasets that surround the personal health information — essentially the metadata — while technically observing the letter of the law.

As Amwell’s privacy policy states, “If you access third-party services, such as Facebook, Google, or Twitter, through the Services to login to the Services or to share information about your experience on the Services with others, these third-party services may be able to collect information about you, including information about your activity on the Site, and they may notify your connections on the third-party services about your use of the Site, in accordance with their own privacy policies.”

The policy goes on to warn users that if they find their way to a public section of the platform, “any information you share there can be read, collected, or used by other users of these areas.” Will it be obvious to users when they cross the threshold between private and public? My guess is no.

Since we know that no one actually reads privacy policies or terms and conditions, few users will have any idea that their health disclosures, while technically protected by HIPAA, may also be shared with Facebook, Google, or Twitter.

Here’s a likely scenario: A third-party company knows that a user clicks on a particular category of interest on the Amwell “Conditions” drop-down menu, such as “Anxiety” or “UTI.” Amwell isn’t prohibited from sharing which conditions a user clicked on, and using that to feed him or her ads about those conditions, or steer the user to particular search results on those topics.

In a similar vein, the Teladoc privacy policy says the company will use cookies to track a variety of user behaviors, including “pages you view before and after you leave the website.” The policy does not specify for how long the company will continue to collect information about sites you visit after leaving Teladoc, nor does it specify how or why that data might be relevant to the health care you receive from the company. Amwell also acknowledges the use of “cookies, pixel tags, Local Shared Objects, and similar technologies” to automatically collect all kinds of user data.

As we know from Facebook’s and Google’s entry into the health care sector, third-party companies, as well as the virtual health companies themselves, want to track their users’ data for reasons other than simply to enhance their websites and their customers’ experiences. As happens with disturbing regularity, we won’t know what is really being done with our data until a scandal breaks, because the regulation of personal health data outside of HIPAA protected zones is virtually nonexistent in the U.S. What we do know is that patient information is tracked and aggregated on the web and bought and sold by data brokers, which represents a particularly lucrative part of the vast monetization of the social web.

It is difficult to opt out of this data capitalism system. But the fear inspired by the coronavirus pandemic shouldn’t force people to make a data privacy deal that works against their long-term well-being. We are all being asked to make some compromises for the greater good right now, including sacrificing some personal privacy so health officials can track the spread of the coronavirus. That may be necessary for the duration of the pandemic.

But once the crisis has passed, we should not allow our nation’s failure to provide adequate resources for public health to create a mandate for private companies to profit from our collective vulnerability.

If virtual health care companies really are our first line of response to this and future pandemics, then we need a new response.

Kirsten Ostherr, Ph.D., is a professor and media scholar trained in public health, director of the Medical Humanities Program, and director of the Medical Futures Lab at Rice University in Houston.