The following is a guest post by Roy Huggins, MS NCC.
Roy Huggins, MS NCC is a counselor in private practice and former professional Web developer who also operates Person-Centered Tech, his tech-consulting firm that serves the mental health community. You can find him online at www.personcenteredtech.com.
With the growing popularity of telemental health (sometimes called “Skype therapy”), it’s a wonder that it isn’t easier to identify which software we should use to perform these services. Here I will try to provide some clarity on that subject.
Types and Mediums of Telehealth
The classic telemedicine model is what I call a “clinic-clinic” model, wherein the client would be in a clinical setting, surrounded by health care professionals, using a special setup of cameras and software that are designed specifically for telehealth. Many of us are more interested in what I call a “clinic-home” model, wherein the client is in their home, handling their own local technical needs and, potentially, clinical needs that can be provided remotely. This article will focus on that model.
There are several mediums for telehealth in use. The two most popular I know of are email and videoconferencing. When we speak of “Skype Therapy,” we are referring to telehealth service by videoconferencing software. Since most of us are interested in video, that is what I will focus on.
Some mediums may be restricted for some clinicians. For example, social workers in Louisiana are not permitted to perform email therapy or to use any therapy medium that is “conducted through the exchange of typed or printed data, E-mails or instant messages” (Louisiana State Board of Social Work Examiners, 2009). I suggest you investigate your applicable laws and rules before settling on a medium.
Professional guidelines covering telehealth ask us to develop, as the American Psychological Association’s (APA) telepsychology guidelines put it, our “professional and technical competence” regarding both our chosen telehealth medium and the process of telehealth therapy itself (American Psychological Association, 2013). The NBCC guidelines and NASW/ASWB guidelines also ask us to do this (NASW, 2005; ASWB, 2005; National Board for Certified Counselors [NBCC], 2012).
What Video Software Should I Use?
When choosing software, we need to consider if it is secure enough to meet ethical and legal standards, if it plays well with the HIPAA Business Associate rule, and if it has the features we need.
This may be a little more complicated than it seems. Skype and Facetime have fallen out of favor, especially due to recent changes in the HIPAA Business Associate rule. Luckily, easy replacements are available. Also, your specific software needs can change depending on the population you serve.
“HIPAA Nothin’!”: Our Ethics Codes Have Plenty To Say About Electronic Security
When we think about mandates around “digital confidentiality,” as I like to call it, we tend to think of HIPAA. However, this is as much an ethical issue as a legal one. All the major professional ethics codes ask us to use security measures when dealing with electronic client data. National ethics codes that call for protection specifically of electronic info include the AAMFT, ACA, APA, NASW and NBCC codes.
The HIPAA Security Rule also contains a basic mandate that we must secure our “electronic protected health information.” Specifically, The HIPAA Security Rule defines a standard called the Transmission Security standard:
[Covered entities must] Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(US Dept. of Health and Human Services, 2006) Emphasis mine
I emphasized the word “technical.” “Technical” security measures would be stuff you do with software or hardware to protect sensitive information. In the case of videoconferencing software, we’re looking at needing software that encrypts the calls and that requires that everyone involved in the call authenticate themselves – “authenticate” is a fancy way of saying that they have to prove they are who they claim to be. Generally, we do this by entering a username and password. The other advantage of video software is that we can additionally authenticate clients simply by seeing their faces on the screen.
When HIPAA Does and Doesn’t Matter
Alert readers may have noticed in the above HIPAA quote the words, “covered entity.” That is a piece of HIPAA jargon that refers to any person or group that is legally required to comply with HIPAA. Many of us are starting to learn that simply being a health care professional does not automatically make one a HIPAA covered entity. For more information, see my article on HIPAA covered entity status.
HIPAA doesn’t always rule the roost, however. For example, the 2013 HIPAA Omnibus Rule clarified that if clients wish to receive emails that contain their protected health information, are subsequently informed of the risks of email, and still wish to receive them despite the risks, they may consent to the use of unsecured email to send them protected health information. (Huggins, 2013). However, all the professional guidelines regarding telehealth ask us to use secure communications for therapeutic exchanges regardless of client consent (APA, 2013; NASW & ASWB, 2005; NBCC, 2012). Licensing boards often have something to say on the issue, as well. For example, my licensing board specifically requires encryption for therapeutic exchanges in their rules regarding Distance Counseling. (Oregon Board of Licensed Professional Counselors and Therapists, 2011)
This means that even though HIPAA’s love of client autonomy may imply that non-secure video software could be used if the client consents to it (assuming there is no Business Associate relationship – more below), ethics codes, professional guidelines, and in many cases state laws and licensing boards would disagree that non-secure software is appropriate for us to use when performing telehealth services.
HIPAA Business Associates: Where Things Get Rigid
When we apply HIPAA’s standards to our security planning, we get a rather flexible paradigm of reducing risks to reasonable levels. That is, except for when the Business Associate rule gets involved.
In short, HIPAA Business Associates are persons or companies who provide services for your practice wherein they handle your protected health information. HIPAA requires us to get a Business Associate contract with such folks in order to be in compliance. For details, see What is a HIPAA Business Associate Agreement?. The 2013 HIPAA Omnibus Final Rule made the Business Associate rule tighter and gave Business Associates greater responsibilities. As a result, we have fewer options around which “cloud”-based services we can use and still remain HIPAA compliant. This is a deep issue, and if you wish to know more, see Online Data Backups and HIPAA Compliant Practice: A Government-Produced Monkey Wrench.
An important part of the BA rule is the “conduit” exception. This allows companies that only move your protected health information from one place to another to perform this service without taking on a BA relationship with you. The classic examples are the USPS and other courier services as well as Internet Service Providers – the companies that provide your Internet connection. Because of the conduit exception, none of these groups are HIPAA Business Associates.
The 2013 Omnibus Rule tightened the conduit exception. The Office of Civil Rights (the federal government’s “HIPAA people”) made it clear that just moving info from one place to another is not enough to make a service qualify as a conduit (and thus not qualify as a BA.) They have to also be unable to look at the data as they move it. In other words, the info has to be encrypted and the company has to be unable to unlock the encryption. (Reinhardt, 2013) This is why Skype and Facetime are no longer viable for telehealth under HIPAA.
Wait, Skype and Facetime Aren’t HIPAA Compliant?
It’s important to remember that products cannot be HIPAA compliant or non-compliant. Only people can be HIPAA compliant (or non-compliant.) The proper question is, “Can we use Skype or Facetime and stay HIPAA compliant?”
Skype’s security has been roundly criticized by some as insufficient for our compliance needs, (Maheu & Mcmenamin, 2013) but others have argued that steps can be taken to reduce the security risks of Skype to acceptable levels (Sleeman, 2011). Facetime is similar to Skype but only works on Apple products. Apple is notoriously tight-lipped about the security schemes their products use, but it is certain that Facetime uses encryption to protect calls.
However, both of these pieces of software allow their owner companies (Microsoft for Skype and Apple for Facetime) to unlock the encryption and see and hear the calls they transmit. We know this is true with Skype because law enforcement officials have stated that they can get access to Skype calls when they need to. For Facetime, the underlying architecture of it makes it extremely likely that Apple could monitor calls if they chose to. These simple facts cause these services to not be “conduits” and thus they become BAs. Because neither company will supply us with a Business Associate contract when we use their products for telehealth, we would be in violation of HIPAA to use them for telehealth services.
Remember that Business Associate relationships are between clinicians and the companies that qualify as our BAs. The client is not a part of this equation. Thus, client consent has no bearing on whether or not we’re required to get a Business Associate contract with a given company. This is why I say that the Business Associate rule is highly rigid.
Do I Have to Use Expensive Software to Do Telehealth, Then?
I often recommend, as an alternative to Skype and Facetime, VSee (www.vsee.com). VSee is simple, free (or cheap) and easily downloaded and installed, just like Skype and Facetime. However, it is friendly not only with HIPAA but also with the American Telemedicine Association’s guidelines for video software in telemental health. For further info, see my article on both VSee and the problems with Skype and Business Associate rules.
VSee is not the only option, however. There are many platforms for doing telehealth that are as inexpensive as $40/mo. You often also get extra features such as secure billing, secure messaging with clients, and – very importantly – Business Associate contracts. These platforms can be a good investment in creating a solid telehealth practice. For browsing available platforms, I generally recommend Jay Ostrowski’s Telemental Health Comparisons website.
What Features Do I Need In Video Software?
The American Telemedicine Association has published guidelines on what video software should be able to do, where possible, when used for telemental health. Several of the features they describe require that there be special hardware on the client’s side of things. Generally, we would need to be doing clinic-clinic telehealth for that to be possible. Many of the ATA’s other recommendations can be met by software for clinic-home sessions, however, and thus we can look for those features in our software. Here is a sampling of the more important features to look for according to American Telemedicine Association, 2009). Comments in red are mine:
- View and share a computer desktop or applications. This means the software can allow call participants to selectively show each other what is currently on their computers. I often use this to collaboratively make notes or do exercises with clients. A lot of programs, including Skype, can do this.
- Record meetings when clinically appropriate and with patient permission. Depending on your needs as a clinician, this can be a deal-breaker. Most clinicians under supervision, for example, need to be able to record sessions.
- Share information on a common white board or via computer files. Once again, many programs accomplish this through interactive screen sharing (item 1.)
- Ease of use with minimum operator training. This is a must not just for clinicians, but also for clients. Even if your technical proficiency is high, delivery to the home means the client must handle many of their own technical needs. For this reason, quite a few clinicians only use video software services that offer live, 24-hour tech support. All the online group therapists I know of see technical support as a must-have. Note that only non-free services will offer technical support. In other words, you won’t get it from Skype, Facetime, or VSee.
- On screen messages to notify the user of such conditions as loss of far end video, incomplete or dropped connections, mute/unmute etc. This feature allows both clinician and client to know the current conditions of the call, especially if the Internet connection is going bad. Bad connections can mean choppy video or audio or even a dropped call. I am careful to avoid delicate clinical interventions when my software’s indicator is telling me that the call connection is going through a rough patch.
- Ability to operate at a bandwidth of 384 Kbps or higher.This means the software should be able to work on a somewhat slow Internet connection. It’s worth noting that Skype does not do this well, and VSee’s most noted feature is that it does this very well.
I’ve never seen low-cost software that includes all these features, but most telehealth-oriented video software includes most of these features.
What Else Do I Need to Do or Know?
The topic of this article — Security and features of videoconferencing software – is only the tip of the iceberg. Also vital is informed consent; culturally, linguistically, and regionally relevant emergency plans; cross-state practice issues; getting paid, and more. These things do not have to be daunting at all, and may be more or less difficult to accomplish depending on the skills and resources already at your disposal.
How Do I Learn More About Telehealth?
All the professional guidelines on telehealth practice make reference to a need to develop “professional and technical competence” in both the process of telehealth and the use of the relevant technology. There are some places where you can get formal training on this, listed in alphabetical order:
Disclosure: I have courses with the Zur Institute that may be included with telehealth education packages, and from which I will receive royalties.
I also have courses you can take online. Issues of telehealth technology are generally included with other technology-related topics including HIPAA compliance and practice management:
I also use my newsletter to keep readers abreast of the fast-changing landscape of digital confidentiality. You can subscribe to it at www.personcenteredtech.com.
American Association of Marriage and Family Therapists. (2012). Code of Ethics . Alexandria, VA: Author.
American Counseling Association. (2005). Code of Ethics . Alexandria, VA: Author.
American Psychological Association. (2010). American Psychological Association Ethical Principles of Psychologists and Code of Conduct . Washington, DC: Author.
American Psychological Association. (2013, July). Guidelines for the Practice of Telepsychology. Author.
American Telemedicine Association. (2009). Practice Guidelines for Videoconferencing-Based Telemental Health. Author.
Huggins, R. (2013, October). Clients Have the Right to Receive Unencrypted Emails Under HIPAA. Retrieved October 17, 2013, from Person-Centered Tech.
Louisiana State Board of Social Work Examiners. (2009). Consumer Information Regarding Distance Therapy. Retrieved October 17, 2013, from Louisiana State Board of Social Work Examiners: http://www.labswe.org/distherapy.html
Maheu, M., & Mcmenamin, J. (2013, March). Telepsychiatry: The Perils of Using Skype. Retrieved October 17, 2013, from Psychiatric Times: http://www.psychiatrictimes.com/blog/telepsychiatry-perils-using-skype
NASW and ASWB. (2005). Standards for Technology and Social Work Practice . Author.
National Association of Social Workers. (2008). Code of Ethics . Washington, DC: Author.
National Board for Certified Counselors. (2012). Code of Ethics . Greensboro, NC: Author.
National Board for Certified Counselors. (2012, July). Policy Regarding the Provision of Distance Professional Services. Author.
Oregon Board of Licensed Professional Counselors and Therapists. (2011). Distance Counseling. Oregon State Archives . Salem, OR: Author.
Reinhardt, R. (2013, February). HIPAA FInal Rule and the Conduit Exception. Retrieved October 17, 2013, from Tame Your Practice: http://www.tameyourpractice.com/blog/hipaa-final-rule-and-conduit-exception
Sleeman, J. (2011, December). Skype Security and HIPAA Compliance. Retrieved October 17, 2013, from HIPAA Compliance IT: http://www.hipaacomplianceit.com/skype-security-and-hipaa-compliance/
US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification. Washington, DC: Author.
US Dept. of Health and Human Services. (2013). HIPAA Omnibus Final Rule . Washington, DC: Author.