How to do I protect my privacy for telehealth / telemedicine appointments?

TL;DR:

I have upcoming medical appointments, and they will be via telehealth, meaning that they will be remote via video conference.

How do I best protect my privacy?
How do I share my concerns with my doctor?

My Experience with Telehealth: No Privacy-Friendly Tools

I had my first telehealth appointment 6 months ago, and it was over Zoom. There was no alternative available. First, because that’s what my doctor uses, and I am confident that she or her office has a paid Zoom subscription.

I have tried BraveTalk for one-on-one personal meetings with heads of organizations, and most of the time it was a disaster. It’s too buggy. My meetings were scheduled weeks in advance, and multiple times we’ve had to stop using Brave because it just didn’t work.

We couldn’t move to another platform because we had already wasted so much time over technical issues. I felt extremely embarrassed because I was the one who suggested BraveTalk. The people I asked to meet are also very busy people, and I felt like I wasted their time. We didn’t get to fully discuss what our meeting was supposed to be about.

Why Proton Meet won’t cut it

Ideally, I would want to use Proton Meet, which thankfully officially launched for everyone yesterday. However, the free version of Proton Meet is too limited for me, and the paid version is too expensive.

Even if I were able to pay for it, for a medical appointment, the doctor needs to be the one who hosts the meeting, not the patient. And my doctor is not going to sign up for Proton Meet just for me. Our meeting will be over an hour long.

Proton Meet is also untested, and I don’t want to waste my doctor’s time, which is precious. It took me months to schedule an appointment with her. She is extremely busy with tons of patients. She also has a unique field of specialty that would be hard for me to find elsewhere.

Doctor uses AI

Another privacy concern I have is that my doctor uses medical electronic health record (EHR) software that is powered by AI. It takes notes for her when she talks, and it might do the same when I talk. There is a good chance that our meetings will be recorded, which I don’t mind. But what I do mind is having that recording shared with third parties.

Other third parties involved

My doctor, who is highly credentialed sought, also works in academia in a lab, and does work for top universities and big foundations like the Bill & Melinda Gates Foundation. I don’t want my data being shared with the latter. With their consent, my doctor showed me over Zoom the medical records of some of her patients to help me understand the type of work that she does.

I feel like my best option is to use Zoom, but to ask for certain features to be off, if possible
There’s also no way I could ask my doctor to stop using the medical software she uses because that is standard. At best, I could ask her to disable the AI, if it is at all possible.

What would you do in my shoes?

In my view, privacy goes out the window when it comes to medical help. You can’t control how you get help nor can the doctors or the institutions make exceptions for you.

One wants help but also wants to dictate how they get help. Nah. That’s not happening. So you either have to agree to the terms of the medical service provider or not seek the same for yourself.

You have HIPAA protections. That’s all you get in the US.

Nothing. Get the help I want however I can get it and move on. I wish there was a better way.

At most I think you can do is ask your provider if there are things you can opt out from - data sharing and whatnot. That’s the only thing I can think of.

That’s an interesting take. So for you, it’s about prioritizing the care that you need above everything else. I can appreciate that.

Do you really think there is nothing patients can do to get better privacy?
Not even in the long run?

To me that’s too pessimistic, even defeatist.

If your doctor uses Gmail you’re not going to take precautions by sending them an encrypted email or password-protected PDF?

Yes. I will definitely do that.

Have you ever experienced telehealth?

I am not in the US. But like most people, I live in a country where there are data prorection laws, even for medicine. But when you have many doctors using Gmail, what do thoses laws actually mean?

I’m not sure what the concern of using Zoom would be. E2EE is ideal but it’s very unlikely for attackers to record and sift through calls like that. They’d go after the actual medical notes and any other data included on your file such as media. To me, them storing a recorded E2EE call is probably riskier than not recording a non-E2EE call. In any case, you can’t control where/how they store medical notes so you’re at their mercy in that regard.

Where I live, they allow you to opt-out of involving AI in meetings. I’d just ask to opt out of anything related to AI, data collection, and data sharing.

I’m less worried about attackers, and more about my data being shared with third parties I don’t know or trust, including Zoom the company. I don’t want any of my data, including my voice to be shared with Zoom, or any software company that my doctor uses.

I will definitely inquire about that, thank you.

Have you had any experience with telehealth?

Ah that makes more sense. Unfortunately, select instances of Jitsi Meet (such as BraveTalk) are the only practical alternative I’m aware of. I wonder if you ran into issues due to E2EE being enabled as it’s still experimental on Jitsi Meet and only works on specific platforms. Disabling E2EE may resolve the issues you ran into?

When using Zoom, I use it in a dedicated Brave or Chromium + uBOL browser profile while signed out and connected via VPN. I’m not familiar with all the forms of data Zoom collects, you’d have to read their privacy policy to be sure of how bad it is.

Last I checked, which was a long time ago, BraveTalk is not E2EE. They are working on it, but they haven’t implemented it yet. I haven’t checked in a while so it’s possible that has changed. But when BraveTalk was being super buggy with me, they did not have E2EE.

Yeah, I’ll have to check what options I can opt out of with my doctor.

I was in a similar situation before. What I did is setup a jitsi meet instance on a VPS, then asked the doctor if it was ok if we used that instead of What’sApp(in my case) and explain why. They agreed. An advantage of jitsi meet is that it is a web app and whoever you are talking to does not have to install anything or create an account or whatever, so it’s relatively easy for them.

Yes. I believe BraveTalk is based on Jitsi, and did not require the people I invited to install anything. I vaguely remember trying Jitsi before BraveTalk launched, and had some trouble using it.

What are the differences between Jitsi and BraveTalk?

All that being said, my appointment is a thorough consultation. The doctor will make presentations, share her screen, etc… If it was just talking, I probably wouldn’t mind hosting the conversation, but since there is a lot of preparation on her part, they need to be hosting.

As far as I understand it:

Jitsi Meet is the open source software for video conferencing/meetings. It has to run on a server that you connect to with your browser.

There is an official instance that Jitsi hosts.

Brave Talk is another public instance of JItsi Meet(maybe with some modifications?) hosted by Brave.

Sadly medical privacy and doctor-patient confidentiality seem to have become a thing of the past.

For perspective, electronic health records, AI and non-E2EE medical communications are recent erosions of privacy. There are public health insurance billing records, insurance companies, prescription records, mandatory reporting laws etc, all which vary wildly by jurisdiction, that may be worth considering too.

I cannot speak for you because I don’t know your medical conditions or logistics. I can’t add anything useful comments vis-a-vis Zoom, Proton Meet etc. If I could convince my doctor to do telehealth over Signal or my own Jitsi instance, I may try that. Most likely I would go to the clinic and consult with them physically, not do it over telehealth.

The general advice, even in the privacy community, seems to be seeking medical treatment without hesitation. However in my case I need to evaluate the risk of seeking vs. not seeking medical treatment. Without going into detail, without medical privacy, having a red-flag medical conditions or subpar general health on my record may become my death sentence.

If you are in the US, you could try seeing a medical clinic that is part of The Wedge of Health Freedom. They affirm patient privacy and support cash payments but I have no idea how far they go to protect patient privacy in practice.

Contrary to popular belief HIPAA does not protect patient privacy. This video by Naomi Brockwell (Youtube, Odysee, thread) explains the myth.