The conversation on what software can provide a HIPAA-secure online therapy solution has been going on for a while and is still unfolding. With this post we offer our understanding of how best to choose the software to use to see your patients online.
What is HIPAA?
HIPAA is a federal law that protects the privacy of patients’ Personal Health Information (PHI).
At the same time it allows doctors, mental health therapists and other healthcare providers enough access to the information they need to do their jobs effectively.
Among others, HIPAA sets several rules that establish guidelines for the implementation of health information technology and the interchange of protected health information in an electronic environment. These rules are the Privacy Rule, the Security Rule and the HITECH Act.
What does it Mean to be HIPAA Compliant?
The Privacy Rule applies to PHI in any form, whether paper, verbal, electronic, etc. It requires covered entities to put in place “administrative, physical, and technical safeguards” for protecting PHI, it discusses the cases in which PHI can be used, when authorization is required and what are patients’ rights with respect to their health information. You can find the Privacy Rule here.
The Security Rule applies only to PHI in electronic form (E-PHI) and builds on the Privacy Rule requirements. The Security Rule sets standards on the processes and technical security measures that should be taken by an entity under HIPAA to keep PHI private. The Security Rule discusses acceptable ways to “implement basic safeguards to protect E-PHI from unauthorized access, alteration, deletion, and transmission.“
In particular the Security Rule requires companies to have a well defined set of internal practices to manage E-PHI, including risk management practices, administrative, technical, and physical safeguards for E-PHI, appropriate organizational requirements as well as documented policies and procedures.
The HITECH Act adds additional substance to the HIPAA Privacy and Security Rules. It details levels of violations and penalties. It also mandates periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules.
As examples, in online therapy, HIPAA considerations may involve:
- Making sure unauthorized third parties cannot record or listen a videoconferencing session
- Making sure that any recorded video conferencing sessions are stored and identified in a secure and proper manner
- Having procedures for initiating and receiving video calls
Video sessions are not the only piece of an online therapy site that are affected by HIPAA. Other areas include the content of text chats, any files transferred, therapy or progress notes stored by the therapist, as well as profile information and medical history saved by the patient.
Who must follow HIPAA?
Two categories of entities must follow HIPAA:
- Covered Entities – Health care providers, health plans, and health clearinghouses
- Business Associates – an entity providing a service or function for a covered entity, which requires access to PHI. Examples might be: an online therapy website like eTherapi.com, an accounting firm or an independent insurance biller.
In order for a Business Associate to be considered as such under HIPAA, the Covered Entity and the Business Associate must enter a contract called a Business Associate Agreement (BAA)
OK… so is Skype HIPAA Compliant to Practice Online Therapy?
Let’s rephrase the question: “Can a therapist be HIPAA compliant if she/he uses Skype to conduct therapy sessions with patients?”
The short answer: NO.
And this is not because Skype is an unsafe medium to transfer information. In fact Skype states that they have implemented a variety of physical, technical and administrative safeguards (including encryption techniques) to protect the confidentiality of any information transferred via Skype.
However, while Skype and similar services often keep records of information that qualifies as protected health information (such as IP addresses of the therapist and client involved in a call, messages exchanged, etc… ), Skype does not provide the necessary assurances that this information will be protected. As per HIPAA rules these assurances would have to include, at the least, a Business Associate Agreement and audit trails that allow users to be informed when confidentiality breaches occur.
Skype does not enter Business Associate Agreements with any covered entity using Skype. In a statement from Harvey Grasty, a spokesperson of the company, Skype says:
“Skype is not a business associate subject to HIPAA nor have we entered into any contractual arrangements with covered entities to create HIPAA compliant privacy and security obligations.”
This is enough of a reason to make a therapist using Skype not compliant with HIPAA regulations.
There is another issue to be considered. In the following statement, Skype states that they reserve the right to disclose private information to some of their affiliates:
“We may share or disclose personal information with other Microsoft controlled subsidiaries and affiliates; and, as necessary, with partners (e.g. telecom carriers, Wi-Fi access services providers, distributors of Skype software and/or Skype products, third party banking organizations or other providers of payment services) and with vendors or agents working on our behalf. For example, companies we’ve hired to provide customer service support or assist in protecting and securing our systems and products may need access to personal information in order to provide those functions. In such cases, these companies must abide by our data privacy requirements and are not allowed to use the information for any other purpose. We may also transfer your data to Microsoft Corporation, who may use it for purposes consistent with those described in this privacy statement. Moreover, we may disclose personal information as part of a corporate transaction such as a merger or sale of our assets.”
HIPAA rules require that a Covered Entity’s Business Associates also have Business Associate Agreements with all of their subcontractors that have access to PHI. In other words, it is not enough for just the company that we partner with to enter into a Business Associate Agreement with us. All the companies they turn to to perform functions that have contact with our PHI must also sign Business Associate Agreements with them (the subcontractors do not need to sign these agreements with us – only with the company that we directly deal with.) Many of the third-party companies that Skype mentions in their Privacy Statement would be legally required to be Business Associates under HIPAA rules. However, because Skype does not want to be a Business Associate of covered entities, it does not have to enter into Business Associate Agreements with any of its affiliates.
How about Apple FaceTime?
The short answer: same as Skype.
Apple at this time does not sign Business Associate Agreements with covered entities.
So… who is HIPAA Compliant?
Here is a short list of websites we know of that claim HIPAA compliance and enter into a BAA with therapists who use their software to practice online therapy:
- eTherapi.com – HIPAA compliant practice management software and online marketplace connecting therapists with patients
- MDlive – The connect therapists and patients via video
- American Well – They also connect therapists with patients