Telemedicine, the notion of providing medical services remotely through the usage of telecommunication technology, has changed the scope of health care provision.
People are no longer limited to doctors or therapists that are close to them. Today telemedicine and telepsychology are quickly becoming a respectable form of practice and the offering of medical services from a distance using state-of-the-art telecommunications technologies like video conferencing software are often considered as effective as traditional methods of health care provision.
As teletherapy and virtual care technology continue to enrich the mental healthcare landscape, there are also a lot of concerns regarding the security of these forms of practice. Specifically, the proper protection of patients’ privacy is a key issue. When data is transmitted and stored digitally, there is a risk of it being accessed by third parties who may not be authorized to view it.
Of course, no video conferencing technology is completely without vulnerabilities, but therapists and mental health specialists considering video solutions do have one important standard when trying to choose safe, private systems for their practices. That industry gold standard is HIPAA compliance.
Video Conferencing in Mental Health
Video conferencing has been a great aid to mental health services by removing the necessity of physical proximity. Patients can access mental health services from virtually anywhere in the world thanks to the development of web-based and digital technologies.
If in the beginning, users needed more resources to benefit from video therapy (a personal computer, and webcam); however the prevalence of smartphone apps has made it even easier to talk to a therapist from anywhere in the world, at any time.
Research shows that many mental health issues can be successfully handled using video conferencing technology. There is even evidence that suggests video conferencing therapy can provide the same results as face to face therapy, making it a good alternative to traditional therapy.
As technology evolves, so will the prevalence of using video conferencing in mental health services. But before that can happen, it will be essential to solve for how software design ensures the safety of patient data.
Research shows that many mental health issues can be successfully handled using video conferencing technology.
HIPAA and Technology
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law protecting the privacy of an individual’s personal health information, while at the same time allowing certain relevant parties to access to the same information so as to enable the provision of health services.
One such example is insurance companies that may need to view health information of a patient in order to reimburse the cost of treatment.
The law or specifically HIPAA offers a set of guidelines and requirements in terms of how patient information should be kept private. Specifically in regard to telehealth or information stored on digital platforms, there are two main guidelines to consider:
- The Privacy Rule
This applies to protected health information that exists in any form, such as paper, oral, or electronic. It covers instances in which this information can be used, who is authorized to access it, and what are the patient’s rights regarding their personal health information.
- The Security Rule
Applies to protected health information that is stored electronically, and mentions that it must be protected by “administrative, physical, and technical safeguards.” It sets standards on what measures should be taken to keep electronic information private.
- The HITECH Act
The HITECH Act was added specifically for telehealth data management purposes, strengthening the provisions of the Privacy Rule and Security Rule even further by defining specific violations and associated penalties.
HIPAA regulations are designed to protect the patient and all information pertaining to their health, including their mental health history, which may be stored in a database such as an electronic health record (EHR). There are clear guidelines that tell therapists and mental health specialists what are the measures that need to be taken to properly store and transfer data through digital means.
These guidelines include:
- How to use the data
- The necessity of encryption
- Authentication requirements
- Audit trails
- Server security.
HIPAA and Video Conferencing Software
When it comes to video conferencing programs, HIPAA standards fall under the responsibility of both the health care provider and the vendor who offers the software. For that reason, some of the most popular providers of video calling technology such as Skype are not recommended for use in mental health provision. These providers excuse themselves from the responsibility of keeping up with HIPAA regulations regarding privacy and data protection and therefore are not safe for use in medicine.
Vendors that are HIPAA-compliant have specifically designed their products and services to be used in telehealth format. The key technological criteria that define HIPAA-compliant service provision of telemedicine are explained below.
Virtual care practitioners cannot assume it is only themselves and clients present in the virtual therapy room. Digital data transmissions can potentially be intercepted by outside parties.
Encryption is a process that scrambles data transmissions and makes it difficult to understand by third parties. Video conferencing software that encrypts data will automatically decrypt it when it reaches those for whom it is intended and who are authorized to view it. The authentication can be something as simple as logging into the teletherapy platform or mobile app. As an authorized recipient, you would add your credentials, typically username and password, and access the data.
- Peer to Peer Networking
Peer to peer network connects two computers directly, without having to go through a central server, and is considered the most secure way to transmit sensitive information. Remote servers cannot be fully secured, which means they are always vulnerable. But if servers are removed from the process of data transmission, then this vulnerability does not exist.
- Local File Storage
The responsibility for the storage of patient data rests with the practitioner and should never be left to a vendor. Third-party storage of health information is in direct violation of HIPAA standards as it allows for access to data beyond the client/practitioner relationship. Instead, all the data (videos, chat texts, client files, etc.), should be stored locally on a health care provider’s side, and therefore not accessible to the vendor who should be responsible only for the transmission.
Of course, this also means that the users with access to the data (the mental health specialist, as well as the patient), are individually responsible for the security of the data stored on their computers. The accountability of cloud service providers (CSPs) is also a pertinent issue in the research.
While mental health providers HIPAA regulations that offer guidance and solutions to potential security issues, patients should also take care and make sure their sensitive information is not accessed through their personal devices.
Video Conferencing Software: What To Look For
Using just any conferencing app or video therapy tool, no matter how popular, isn’t ideal as it may expose practitioners to a lot of risks. So if you plan to use Skype, do so at your own peril. But if you’re seriously shopping around for video conferencing software, here are a few questions you should ask:
- Is It Comfortable and Convenient?
Video conferencing in therapy has the added benefit of making the services more accessible, convenient, and should be an enhancement to a practice. Before you invest in any blended care technology, consider the level of technological literacy, both your patients’ and your own as the therapist when choosing a program. If the system is too complex, it may require additional training and be associated with additional costs, not to mention frustration.
- Is Software HIPAA-Compliant?
Some unscrupulous video conferencing providers will claim that their programs do live up to standards imposed by HIPAA, but it’s important to look into the specifics of what that means in practice. A HIPAA-compliant video software should offer the following, at least:
- Authorization protocols/alternatives
- Peer-to-peer networking
- Local file storage
Software that does not offer these basic privacy requirements may not be a good fit and expose both the therapist and the patient to risks.
- Who Uses This Software?
A good sign that the vendor is reputable can come from the fact that is other well known mental health providers are also using their products. This speaks to the vendor’s reputation and can help you make an informed decision.
The Limitations of HIPAA
Using HIPAA-compliant video conferencing software not only reduces the risk of the data being breached by a third party that has something to gain from personal medical information stored in an electronic medical record or similar, but it also allows for better management of data and storage of information. Though a video conferencing software may do all it can to be HIPAA-compliant, it is important to realize that some level of risk always remains.
The most common reason why electronic personal information gets in front of unauthorized eyes has nothing to do with the particular software used. It is actually caused by a very human factor and most often done by employees of healthcare providers who are “snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities”.
Such transgressions, according to official HIPAA sources, can take on different forms:
- Emailing personal health information to a personal email account;
- Leaving devices that can access such information unattended;
- Releasing information to an unauthorized individual;
- Downloading information on an unauthorized device.
Many of these are done by mistake, but they do show how important it is for all individuals with access to patient information to receive proper training on how to handle it, and how to make sure it is secure.
Most of the other potential risk also has to do with the mental healthcare provider, such as not conducting a risk assessment or improper disposal of a patient’s personal information.
4 Examples of HIPAA-Compliant Software
A quick Google search for “HIPAA-compliant video conferencing” will return thousands of examples. Offering the bare-minimum in data protection isn’t that difficult these days, but even if a vendor places the HIPAA-compliant mark on their website, not all video conferencing products are the same in terms of quality or what they can do to ensure privacy and protection of the patient information.
Here are some apps and platforms to consider:
|TheraNest is a practice management software that also has an integrated video conferencing service that is HIPAA-compliant.|
Patients can receive a secure session link and automatically join the therapist on the portal without the need of them downloading an app, or using credentials to log in.
|Good For||Client Conferencing, Practice Management, Treatment Plans|
|Doxy.me provides free limited services, but their HD video conferencing requires a monthly fee. The platform complies with HIPAA and HITECH requirements.|
It can be accessed through all major browsers and has a mobile app you can download and use it through the comfort of your phone.
|Price||Free – $50 monthly|
|Good For||Video Conferencing, Practice Management|
|Simple Practice says their services offer bank-level encryption and security. It is also a practice management software with an integrated video conferencing service that is HIPAA-compliant.|
It comes with a rather clean interface which can be easy to use even by someone with lower technical skills.
The video conference component can also send automatic reminders to patients that they have an appointment coming up.
|Good For||Practice Management, Client Communications|
|VSee is a pricier practice management software, starting at $199 a month that offers an impressive list of services mental health practices can use to streamline their tasks, such as scheduling, intake forms, file transfer, billing, and video calling.|
The latter is called VSEE Messenger and offers military-grade security for communicating with patients even over 3G connections. Considering it also has a list of high-profile clients such as NASA and MDLive, the cost seems to be worth it.
It does offer some free options depending on provider size and requirements.
|Price||Free – $49 Monthly|
|Good For||Instant Messaging, Video|
Video conferencing will most likely increase in prevalence in the following years, as both therapists and potential patients open up to the idea and start embracing it. And as the technologies evolve, they will also likely become more secure.
However, from the evidence we have now, it seems that being HIPAA-compliant is not enough to ensure the patient’s data is kept safe. Vendors of these apps and platforms, though they can do everything they can to meet federal guidelines, are only one actor in play. Mental health providers also need to show a stronger focus on keeping this data safe.
- ^ Godleski, L., Darkins, A., & Peters, J. (2012). Outcomes of 98,609 US Department of Veterans Affairs patients enrolled in telemental health services, 2006–2010. Psychiatric Services, 63(4), 383.
- ^ King, V. L., Brooner, R. K., Peirce, J. M., Kolodner, K., & Kidorf, M. S. (2014). A randomized trial of Web-based videoconferencing for substance abuse counseling. Journal of Substance Abuse Treatment, 46(1), 36.
- ^ Stubbings, D. R., Rees, C. S., Roberts, L. D., & Kane, R. T. (2013). Comparing in-person to video conference-based cognitive behavioral therapy for mood and anxiety disorders: randomized controlled trial. Journal of Medical Internet Research, 15(11), e258.
- ^ García-Lizana, F., & Muñoz-Mayorga, I. (2010). What about telepsychiatry? A systematic review. Primary Care Companion to the Journal of Clinical Psychiatry, 12(2), PCC.09m00831.
- ^ United States. (2004). The Health Insurance Portability and Accountability Act (HIPAA). Washington, D.C.: U.S. Dept. of Labor, Employee Benefits Security Administration.
- ^ Avancha, S., Baxi, A., & Kotz, D. (2012). Privacy in mobile technology for personal healthcare. ACM Computing Surveys (CSUR), 45(1), 1.
- ^ HITECH (2009). HITECH Act Enforcement Interim Final Rule. Retrieved from: https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
- ^ Rahman, S. M. M., Masud, M. M., Hossain, M. A., Alelaiwi, A., Hassan, M. M., & Alamri, A. (2016). Privacy preserving secure data exchange in mobile P2P cloud healthcare environment. Peer-to-Peer Networking and Applications, 9(5), 894.
- ^ Duncan, B., & Whittington, M. (2015). Enhancing cloud security and privacy: broadening the service level agreement. In 2015 IEEE Trustcom/BigDataSE/ISPA (Vol. 1, pp. 1088-1093). IEEE.
- ^ Alkhaldi, B., Sahama, T. R., Huxley, C., & Gajanayake, R. (2014). Barriers to implementing eHealth: a multi-dimensional perspective. Studies in Health Technology and Informatics - e-Health-For Continuity of Care, 205, 875.
- ^ HIPAA Journal. (2019). The Most Common HIPAA Violations You Should Be Aware Of. Retrieved from https://www.hipaajournal.com/common-hipaa-violations/
- ^ Childress, C. A. (2000). Ethical issues in providing online psychotherapeutic interventions. Journal of Medical Internet Research, 2(1), e5.
- ^ Marshall, J. M., Dunstan, D. A., & Bartik, W. (2019). The Digital Psychiatrist: In Search of Evidence-Based Apps for Anxiety and Depression. Frontiers in Psychiatry, 10.