IANAL, but I did health tech for 10 years and had my fair share of interactions with lawyers asking questions about stuff I built.
HIPAA applies to the provider. Patient have no responsibility to ensure the tech used by their care provider is secure or that their medical records don't wind up on Twitter. HIPAA dictates that the care providers ensure that happens by placing both civil and sometimes criminal liability on the provider for not going to great lengths here.
In practice, this means lawyers working with the care providers have companies sign legal contracts ensuring the business associate is in compliance with HIPAA, and are following all of the same rules as HIPAA (search: HIPAA BAA).
Additionally, you can be in compliance with HIPAA and still fax someone's medical records.
Healthcare professionals still use fax precisely because of this.
Analog line fax is HIPAA compliant because it is not "stored"
Using a cloud fax provider will inmediately put you out of compliance for this reason, unless you have a HIPAA compliant cloud fax service, which are rare.
I don’t think the question is about Zoom’s safeguards which are audited, and as you say almost certainly stronger than HIPAA requirements, but rather whether they can use the stored PHI for product development where the law appears ambiguous.
Imo the law basically says you can do this with PHI:
-De-identify it then do whatever you want with it
-use it to provide some service for the covered entity, but not for anyone else
-enter a special research contract if you want to use it slightly de-identified for some other specific purpose
One note is that the act of deidentification itself requires accessing PHI when done retroactively, this may be institutional policy or specific to covered entities but per the privacy office lawyers such access (apart from a small dataset) requires a permitted use to be accessible in order to then deidentify and use freely.
As with all things HIPAA, this only becomes a problem when HHS starts looking and I’m sure in practice many people ignore this tidbit (if in fact this is the law and not Stanford policy).
HIPAA applies to the provider. Patient have no responsibility to ensure the tech used by their care provider is secure or that their medical records don't wind up on Twitter. HIPAA dictates that the care providers ensure that happens by placing both civil and sometimes criminal liability on the provider for not going to great lengths here.
In practice, this means lawyers working with the care providers have companies sign legal contracts ensuring the business associate is in compliance with HIPAA, and are following all of the same rules as HIPAA (search: HIPAA BAA).
Additionally, you can be in compliance with HIPAA and still fax someone's medical records.