Always Listening, Always Leaking?

By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure

Ambient listening technology is growing in many areas and being incorporated into a lot of different applications. What does the ambient listening do? It automatically picks up conversations and other sounds around it to be processed for one purpose or another.

What happens with the data collected by the ambient listening technology? That depends on the nature of the technology and the nature of the relationship of the user to the application utilizing the technology.

Free Applications

Let’s consider free applications. Free applications could include solutions that are aimed at particular types of users. Since this blog explores healthcare the most, let’s think about healthcare solutions. A popular means for new ambient scribe technology or similar solutions is to offer a free trial or free use to individual users to get them comfortable with the technology with the hope of getting into broader use. In those instances, the data collected by the application has one clear purpose of changing the conversation into a written document. However, the data may also be retained for further training of the solution to help produce better reproductions of conversations or other purposes that could be set by the developer.

Another potential pathway for a free tool is the incorporation of ambient listening technology into general consumer facing applications. For example, the different virtual assistants included with almost every smartphone nowadays may be inadvertently triggered and start recording or some of them could be configured to always be listening. If Alexa or Siri for example are always listening, what happens to that data? Is it being stored in a general database? The smartphone virtual assistant may not transmit data off the device, but even if stored locally that could become problematic.

Another example of an application with ambient listening is Facebook. There are conflicting reports as to the extent of the listening that Facebook does, but it is important to consider when or if it is listening, whether through an application or the website. Facebook as a service has a lot of connections and stores data in many different ways. None of the storage or use is going to be strictly for the user’s benefit and would certainly turn control over to Meta (don’t forget that that is the company’s name).

Beyond some of the obvious examples, there are very likely a lot of other applications installed on phones or computers that also include surprising use of ambient listening technology. The listening may occur without explicit awareness of the user or clear disclosure. Settings should be checked to understand how and when information is collected.

Subscribed Technology

Another route to the use of ambient listening technology is through a paid subscription or license that comes with more complete terms. Ambient scribing technology again is a prime example of applications that come with a subscription and clear understanding of how to operate within the healthcare space. When a formal agreement is executed, appropriate terms can be put into place that meet regulatory requirements along with being able to negotiate limitations around ongoing use of the data.

Ambient listening technology is creeping into other solutions beyond scribe technology, so it will be important to fully understand when and how the technology is being deployed, refined, and further developed. That should all factor into negotiation of the subscription or other agreement that sets out the terms of use.

Privacy Concerns

Why should users be worried about when and how ambient listening technology is activated as well as how data are being used? Compliance and protection of the privacy of the sensitive information that is collected or produced during or after an encounter or interaction in healthcare. As everyone in healthcare should hopefully know, patient information can only be used or disclosed in accordance with the parameters established under HIPAA as well as a growing number of state-level privacy laws.

The laws setting parameters around the use and disclosure of healthcare information typically do not allow healthcare information to be shared around without clear guidelines. Using HIPAA as the baseline, a Business Associate Agreement and underlying agreement need to be in place that are executed by someone who has authority for the applicable organization. That usually means an individual employed physician (the target of some companies trying to avoid drawn out contracting processes) cannot sign on behalf of an organization and validly enable sharing of information. If the appropriate agreements are not in place, then any disclosure of patient information to the ambient listening technology arguably creates an ongoing breach under HIPAA.

That is a quick assessment of the quick road to a regulatory nightmare when an unapproved technology is used. The danger arises from the potential for a bunch of ambient listening technology to actively listening without users even being fully aware of that circumstance. For example, the technology could be listening from a personal smartphone or websites left up on a computer could be gathering information. If someone does not even know what information is being collected and when, then the ongoing leakage of data could go on for an extended period of time before being discovered and remedied. Further, a remedy may not even be readily available since the company collecting the information may not see a reason to respond to any request or demand to remove the data, which could be further complicated by removal not being possible if data is all consolidated into one large database.

What To Do?

The necessary first step is thinking about what devices are presented at what point in time, particularly if a device is used in a setting where information about a patient is being collected. Once those devices are identified, first all applications should be vetted on those devices to understand where ambient listening technology may be included. Second the settings of the concerning applications should be assessed to determine if the ambient listening can be turned off if an appropriate agreement is not in place.

The assessment and remedial action is very important since a lot of the exposure will probably occur through use of personal devices. It is highly unlikely that organizations could prohibit the use of personal devices, so setting clear guidelines and offering support to appropriately configure those devices need to be considered. If an organization tries to bury its head in the sand, then the potential problem will grow and become unwieldy around that deliberate (or optimistically unintentional) ignorance.

It is not an easy process, but ongoing interaction and education are important components. Sending one or infrequent messages will not be enough to maintain awareness and keep individuals up to date on where problems may exist. As with any security issue, effort and attention must be persistent and encouraged.

This article was originally published on The Pulse blog and is republished here with permission.