TITLE: hipaalink.net security initial testing

A therapist on another list asked if anyone had experience with hipaalink.net televideo service.

This looks like a promising small company with some neat features at only $9.95 per month. See below first however. I really don’t like that Facebook Connect is being contacted from the client’s browser when they login!

I spent a lot of time fighting to sign-up (had to change my settings to see their Captcha challenges). More of a problem – there was a very basic malfunction in the password selection process. Some “special characters” (you have to have one in the password) would not work (+ and #). I eventually got “-” to work. I got an almost immediate call-back when I sent a message about trouble picking a password (bug in our system, thank you for finding it, our programmers are fixing “special characters” this evening).

Did eventually set-up a 30-day free trial. So I can further tests later if I want to.

I noticed that hipaalink.net/<mysite> works, but hipaalink.net/<mysite> does not – another simple thing for their programming team to fix. (Older people are very used to “www” in front of everything, so this redirect should function.)

I kinda feel like I ought to be charging for debugging services.

I have not actually tried out video sessions yet. I’ve just run Privacy Badger and Ghostery browser plug-ins in both Opera and Firefox. Results:

CLIENT LOGIN PAGE: Privacy Badger: www.googletagmanager.com – cookies blocked fonts.gstatic.com – cookies blocked

Ghostery: Facebook Connect – BLOCKED! Google Tag Manager – allowed

CLIENT IN-SESSION: Privacy Badger: www.googletagmanager.com – cookies blocked fonts.gstatic.com – cookies blocked

Ghostery: Facebook Connect – BLOCKED! Google Tag Manager – allowed

++++++++++++++++++++++++++++++++++++++++++++++++++

THERAPIST LOGIN PAGE: Privacy Badger:

www.googletagmanager.com -- cookies blocked
fonts.gstatic.co -- cookies blocked

Ghostery: Google Analytics – “tracking not detected” it says Google Tag Manager – allowed Google APIs – allowed Google Static – allowed

THERAPIST IN-SESSION: (The same) Privacy Badger: www.googletagmanager.com – cookies blocked fonts.gstatic.co – cookies blocked

Ghostery:

Google Analytics – “tracking not detected” it says Google Tag Manager – allowed Google APIs – allowed Google Static – allowed

++++++++++++++++++++++++++++++++++++++++++++++++

It’s necessary for some cookies and tracking to the functioning of a website. Privacy Badger and Ghostery are both detecting some of this from Google libraries which they choose to allow. I don’t have enough security engineering knowledge to know if these are harmless or not. I do know they are very common on most websites. Yet – Privacy Badger says they are blocking some cookies…

Facebook should not be contacted on the client side! I don’t know what Ghostery is blocking from being sent to Facebook, but this should not be on a HIPAA site. The connection between therapist and client seemed at first glance to work fine with Facebook blocked. I will discuss this with Hipaalink.net before I test it with actual clients. For now I give them the benefit of the doubt. I am told by a computer engineer that Facebook supplies some code libraries (like Google) which websites can use – maybe this is not intentional tracking, just their developers needing to fix this?

There is more tracking taking place on the home page and more public sections of the website than inside the login and televideo areas. So some effort to decrease tracking has been made for actual clients. I see different trackers on the public areas of the website today than I did when I first checked on 7/24/23.

It’s a maybe… But at $9.95 per month hipaalink.net could be a nice option if they clean up minor tracking concerns. Again, I have not tested the video yet.

@psychology @socialwork @psychiatry @psychotherapists

#psychology #neurology #socialwork #psychiatry #mentalhealth #psychotherapists #cookies #tracking #hacking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons #telehealth #video #doxy #healthcare #dataprotection #hipaalink #hipaalinknet

Last updated 1 year ago

2 of 2

Doxy is technically HIPAA compliant according to them and I can’t PROVE otherwise.

In October 2021 – logging in as a CLIENT – I traced (via Pihole and the Lightbeam Firefox plug-in) their website having my web browser contact connections to Google (multiple), Youtube (multiple), Facebook, Doubleclick, Hotjar, Mixpanel, and Segment ad networks/trackers/data aggregators. Heavy additional use of outside support tools from Google, Amazon (their web hosting provider), Cloudflare, Cloudfront, and other outside supporting services.

There was just no excuse for that from a company only providing medical telehealth.

Since then Doxy seems to call on fewer outside supporting services, and last I looked (April 2022) they ran their data tracking services through one specific company – which could then redistribute data to all the above companies. Or not.

The devil here is in what constitutes Protected Health Information (PHI). In 2022 Doxy privacy policies discussed only collecting “anonymized” data and no PHI. Sounds great. However, please see:

Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates hhs.gov/hipaa/for-professional

This HHS and OCR guidance includes the sorts of 3rd party tracking technologies DOXY is likely referring to in their privacy policies.

Then of course, there is this: Yes, someone really did name their service Doxy.me (“Doc See Me” according to the company). There are several double meanings here. Doxx or doxxing – hacker slang for spreading sensitive private information all over the Internet to defame someone. Webster’s Dictionary – Doxy – a prostitute. merriam-webster.com/dictionary

No disrespect intended to sex workers in the use of the possible slur “prostitute” here.

................................
@psychology @socialwork @psychiatry @psychotherapists

#psychology #neurology #socialwork #psychiatry #mentalhealth #psychotherapists #cookies #tracking #hacking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons #telehealth #video #doxy #healthcare

Last updated 1 year ago

1 of 2

TITLE: Doxy.me Privacy Considerations

Here is a posting or two from April 2022 when I took a look at Doxy.me privacy policies in force at that time. I am of course not a lawyer and could misunderstand something. Maybe.

As you read this, please keep in mind: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates hhs.gov/hipaa/for-professional

This HHS and OCR guidance includes several sorts of 3rd party tracking technologies possibly in use by Doxy.

To be crystal clear – I am NOT accusing Doxy of breaking HIPAA or other laws, sharing PHI, or sharing video content. I am “accusing” them of doing exactly what they allow themselves to do in their “privacy” policy – communicate “de-identified and anonymized” data to 3rd parties having little to nothing to do with the operation of the service. The huge problem is that “de-identified and anonymized” data can be easily reattached to client names by any data broker worth their salt with a big enough database.

– Michael

On Thu, Apr 14, 2022 at 12:54 AM Michael wrote:

doxy.me/en/privacy-policy/

Picture me having an angry laugh (at Doxy, not you) as I read this "privacy"policy. It’s ridiculous.

In summary: They give themselves permission to do quite a lot, and by using their product, you are consenting to it. They say they are “anonymizing” everything – but what good is that if the data can be used to easily reconstruct client identity? They don’t say they are sending along tracking cookie data to 3rd parties, but they give themselves permission to do it.

A few choice pointers:

“This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information—when You use the Doxy.me Service or visit this web site”

Your permission is granted…

“Usage Data is collected automatically… Usage Data may include information such as Your Device’s Internet Protocol address, browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers, and other diagnostic data. However, this Usage Data is de-identified and anonymized and not linked to a particular data. As such, it is not considered personal information; it is incidental to providing the Service.”

Several Internet security sources point out (sorry – I don’t have a reference immediately available) that when data brokers accumulate several data points on you (such as browser type, IP address, “other diagnostic data”) that it can act as a unique fingerprint to figure out who you are. Keep in mind that data brokers track across several websites across time. This is exactly the sort of information that cookies are commonly used for to store and pass along.

Internet Protocol address – If a user happens to have a static IP address, this is a unique identifier of the user. If its not static, it still serves to pinpoint the general geographic area the person is in (unless a VPN is used) and can be combined with other data to identify the person.

Unique device identifiers – Each device (laptop, smart phone, etc.) has a unique serial code that identifies it. If this information is being passed along to 3rd parties, its a unique fingerprint of the person.

Let’s take an easy fictional example – let’s say a client creates a Google account. In the process of creating the Google account, the client enters their name. Let’s say Google also captures their unique device identifier at that time. Now then, if the unique device identifier is passed along to Google whenever that person visits a website (say doxy.me for example), Google knows the name of the person visiting the website because its already in Google’s database.

“de-identified and anonymized” data – Sure. Internet Protocol address, browser type, browser version, unique device identifiers, and other diagnostic data do not have the client’s name attached – or any other PHI data. But so what – the data broker already has a database to readily reattach the client’s name when/if this information is provided.

"We may also collect information that Your browser sends whenever You visit this Website "

Well, I don’t know – does this mean they can capture anything else your web browser is sending out at the time you are connected to their website?

Cookies:
“Any use of Cookies – or of other tracking tools – by Us or by the owners of third-party services used by Us serves the purpose of providing the Service as requested by You.”

Hmmm… Slippery. We are requesting/consenting to anything they do as defined earlier in the document.

From: doxy.me/en/cookie-policy/
" Please be aware that some Cookies are required to use the Doxy.me Service; some are useful but not mandatory to measure and improve performance; and some are used for advertising or marketing activities that customize information based on your interests."

So – yes – they ARE using cookies to advertise and market to our clients.

They do at least promise not to pass along PHI or name information.

They may or may not be passing along the above information to 3rd parties, but my September 2021 investigation showed that their servers WERE contacting 3rd parties (some known to be data brokers / ad networks). SOMETHING was passed along.

– Michael

On 4/13/2022 5:24 PM, NAME REDACTED__ wrote:

Based on Michale’s recent post, I contacted the legal office at doxy.me to ask whether doxy.me does the following:

“Doxy.me reports out cross-site tracking cookies to at least 10+ different services including Google, YouTube, Facebook, LinkedIn, and Hotbot.”

The legal department directed me to their policies here:

doxy.me/en/privacy-policy/

Please look at this page, especially the sections labeled “If You are a Provider” and “If You are a Patient.”

I could not find anything to indicate that doxy.me shares cookies or any other information with anyone.

If anyone can find specific information to the contrary in doxy.me’s policies, please share.

Thank you– NAME REDACTED

..............
@psychology @socialwork @psychiatry @psychotherapists

#psychology #neurology #socialwork #psychiatry #mentalhealth #psychotherapists #cookies #tracking #hacking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons #telehealth #video #doxy #healthcare

Last updated 1 year ago

This is Zoom's privacy policy. It is an amazing piece of legal engineering granting them the rights to buy, sell, and gather just about any data about business users they want -- including listing you in a Business or Professional Profile (the "directory"):

zoominfo.com/about-zoominfo/pr

This is their form to opt-out of all tracking in their database which they use to sell your information to 3rd parties. Somewhat ironically, this page won't work unless you turn-off Privacy Badger and Ghostery web browser plug-ins:

zoominfo.com/privacy-center/up

If you use Zoom at work through a business account and don't wish to be listed, consider opting out. They are also collecting information from around the Web outside of Zoom apparently to help build out your profile.

@psychology @socialwork @psychiatry @psychotherapists

#psychology #neurology #socialwork #psychiatry #mentalhealth #psychotherapists #cookies #tracking #hacking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons #videoconference #televideo #telehealth #zoom #databrokers

Last updated 1 year ago

*TITLE: OT: Amazon's Ring cameras were used to spy on customers**
*malwarebytes.com/blog/news/202

There were some really egregious examples here -- like for a time any
employee could view any video feed.  Also hackers talking back to and
scaring people through their ring cameras.

I am not a technophobe -- in fact, I am looking for cameras for my house
for security reasons.  But I'm trying to figure out first how to run my
own monitoring software on my own servers.

malwarebytes.com/blog/news/202

--
*Michael Reeder, LCPC
*
*Hygeia Counseling Services : Baltimore / Mt. Washington Village location*

  @psychology
@psychotherapists
#ring

#psychology #mentalhealth #psychotherapists #cookies #tracking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons #doorcams #cameras #monitoring

Last updated 1 year ago

Thank you -- This is very interesting! I see the article discusses a lot more than just the ban -- like promising future areas for AI with safeguards.

Meanwhile in the USA, Microsoft is working with one of the largest EHR systems (EPIC) to incorporate AI now. First stop -- writing responses to patient portal inquiries for doctors.

@psychology @socialwork @psychiatry @psychotherapists

@Dinkenfunkle

#psychology #socialwork #psychiatry #mentalhealth #psychotherapists #cookies #tracking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons #ai #chatgpt #australia #epic #microsoft

Last updated 1 year ago

Email2Toot ROBOT -- CHECK ACTUAL AUTHOR BELOW:
See our email listserv for psychotherapists at clinicians-exchange.org
.

TITLE: PHI & Tech: I'm Wary of Tech Companies...

Hi All,

I'm forwarding with permission an email from Laura Reagan, LCSW-C -- a
local Baltimore area clinic owner regarding misuse of client PHI by
BetterHelp, GoodRx, and potentially other companies.

Thanks,
Michael

--- Forwarded Message ---

Hi all!

....

I'm wary of tech companies that are offering these types of shortcuts to
help clients and therapists, but then turn out to be selling client PHI
(even though they claim not to) which is how they really make their
money.
I've heard rumors that some of the companies that claim to give
therapists
better reimbursement for insurance clients are doing this (not
naming names
since I have no proof).

Two companies that have sold data even though their privacy practices
promised they didn't are BetterHelp (they earned $1B last year) and
GoodRx
(the company that helps people get prescriptions for cheaper). There are
surely others, but it seems the FTC is currently catching up now on
things
that happened 2017-2020. Some info is below.

FTC article about what they say BetterHelp did:
ftc.gov/business-guidance/blog

This response from BetterHelp, even as they settled with the FTC,
downplays
what they did and calls it normal marketing practices.
betterhelp.com/betterhelp-resp

FTC article about what they say GoodRx did:
ftc.gov/news-events/news/press

GoodRx issued a statement which I can't even read without agreeing
to their
privacy policy but I can see it says they disagree with the
settlement they
paid $1.5 million for.
goodrx.com/corporate/business/

... Any service that makes therapy more accessible while protecting
people's privacy and giving the best
possible reimbursement (full fee) to the therapist is something I
want to support! Especially because my practice doesn't accept
insurance!

Being trained as a social worker taught me to always ask "who benefits?"
and to answer that question with "follow the money!"

Warmly,

Laura Reagan, LCSW-C
Owner, Baltimore Annapolis Center for Integrative Healing
<bahealing.com>
Integrative Trauma Psychotherapy, Clinical Supervision, Consulting,
Coaching & Training
Founder, Trauma Therapist Network <traumatherapistnetwork.com/>
Host of Therapy Chat Podcast <therapychatpodcast.com>
Host of Trauma Chat Podcast <traumachatpod.com>

--
Merely Forwarded By:
*Michael Reeder, LCPC
*
*Hygeia Counseling Services : Baltimore / Mt. Washington Village
location*

  @psychology
@socialwork @psychiatry
@psychotherapists  

#psychology #neurology #socialwork #psychiatry #mentalhealth #psychotherapists #betterhelp #goodrx #float #therapyfinancing #financing #cookies #tracking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons

Last updated 1 year ago

TITLE: Confusion in Text Messaging, Encryption, and HIPAA

A therapist colleague of mine contacted Ring Central (a video and
telephone platform that provides HIPAA BAA subcontractor paperwork upon
request) with questions about their messaging capabilities and
encryption.  They were looking for a compliant way to text message with
clients.  The support staff directed them to this article:

support.ringcentral.com/articl
<support.ringcentral.com/articl>

At first glance, the article would seem to make messaging with clients
golden as a good level of encryption is described and the therapist has
a HIPAA BAA with Ring Central.  Right?

Wrong.

A few different topics are getting confused here -- smart phone SMS text
messaging, messaging within Ring Central apps and websites, and HIPAA
BAA subcontractor agreements.

With SMS text messaging by phone it will never be HIPAA compliant (even
if the therapist sends it from within Ring Central) because the client
will get the SMS text message unencrypted on their smartphone.

Messaging within the Ring Central apps and website *IS* at an excellent
level of encryption -- but won't be covered by the therapist's HIPAA BAA
agreement unless the people messaged are also part of the therapist's
company account or are other therapists with their own Ring Central
accounts with HIPAA BAA subcontractor agreements.  This will rarely if
ever cover therapy clients.

This gets confusing.  So -- for example -- when I go into my Ring
Central account online and click on "Message" I'm invited to email a
messaging link to anyone I choose.  So far so good.  But when that
person (like a client for example) goes to that messaging link, Ring
Central REQUIRES them to sign up for their own FREE Ring Central
account.  That FREE account WILL NOT be covered by a HIPAA BAA
agreement.  So the messages sent to them (inside a Ring Central app or
website) will be encrypted but not HIPAA compliant.

Similar problem with Ring Central video conferencing.  As long as the
client DOES NOT sign in with their own free account -- and instead goes
to my anonymous video link -- it will be covered under my BAA agreement
with Ring Central.  However, Ring Central invites clients to sign up for
their own FREE account in order to video conference with me.  If the
client makes that mistake, then its no longer a HIPAA compliant video
conference session because only one of our two Ring Central accounts is
covered by BAA.

I sometimes wonder why this all is left in such a confusing state?

Of course, I'm not a lawyer, so do your own research too.
*
Michael Reeder, LCPC
*
*Hygeia Counseling Services : Baltimore / Mt. Washington Village location*

  @psychology
@socialwork @psychiatry
@psychotherapists

#RingCentral

#psychology #neurology #socialwork #psychiatry #mentalhealth #psychotherapists #pharmacy #medicationchecker #drugs #druginteractions #cookies #tracking #hacking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons #voip #telephony

Last updated 1 year ago

While this article from Livestrong has many good points about problems with fitness trackers, I notice that there is one they don't mention -- data aggregator tracking.

Which is a shame since I observe Ghostery and Privacy Badger blocking 6-9 such URLs contacted when your browser visits this article.

The Dark Side of Fitness Trackers
livestrong.com/article/1371666

@psychology @socialwork @psychiatry @psychotherapists

#psychology #neurology #socialwork #psychiatry #mentalhealth #psychotherapists #pharmacy #medicationchecker #drugs #druginteractions #cookies #tracking #hacking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons

Last updated 1 year ago

Signing away most all of your medical privacy rights in order to become
a customer is way uncool and unacceptable:

wapo.st/3p1uTJG

~~~
To become an Amazon Clinic patient, first you sign away some privacy

You agreed to what? The ‘HIPAA authorization’ for Amazon’s new
low-cost clinic offers the tech giant more control over your health
data.

wapo.st/3p1uTJG

--
*Michael Reeder, LCPC
*
*Hygeia Counseling Services : Baltimore / Mt. Washington Village location*

  @psychology
@socialwork @psychiatry
@psychotherapists

#psychology #neurology #socialwork #psychiatry #mentalhealth #psychotherapists #pharmacy #medicationchecker #drugs #druginteractions #cookies #tracking #hacking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons

Last updated 1 year ago

TITLE: Online Pill Identifier: Search by Imprint, Shape, or Color (With
Plenty of Data Tracking)

Thank you Dr. Pope for initial message below.

This is really cool.

It should also be noted that when you use it, the drugs.com server
communicates with -- and sends something about you -- to:

securepubads.g.doubleclick.net
stats.g.doubleclick.net
www.google-analytics.com
analytics.google.com
fundingchoicesmessages.google.com
www.googletagmanager.com
fonts.gstatic.com
www.gstatic.com
ads.rubiconproject.com
sb.scorecardresearch.com

Don't pretend for a moment that what medications you are taking are
likely to remain private.

So load-up Ghostery and Privacy Badger into your web browser and hope
for the best.

-------- Forwarded Message --------

Drugs.com
<dmanalytics2.com/click?u=http%>
provides an online pill identifier service.

 Here’s the announcement:

Pill Identifier

Search by imprint, shape or color

Use the pill finder to identify medications by visual appearance or
medicine name. All fields are optional.
*
*
*Tip:* Search for the *imprint first*, then refine by color and/or shape
if you have too many results.

Here’s the link: drugs.com/imprints.php
<dmanalytics2.com/click?u=https>

PLEASE NOTE: The Drugs.com
<dmanalytics2.com/click?u=http%> site
also provides an interactions checker and other services.

Ken Pope

~~~
Merely forwarded by:
Michael Reeder LCPC
Baltimore, MD

  @psychology
@socialwork @psychiatry
@psychotherapists

#psychology #neurology #socialwork #psychiatry #mentalhealth #psychotherapists #pharmacy #medicationchecker #drugs #druginteractions #cookies #tracking #hacking #3rdpartytrackers #hipaa #privacy #dataprivacy #webbeacons

Last updated 2 years ago