Suppose a licensed therapist whose office is in Ironwood, Michigan, has a client, referred by the patient’s insurance company, who drives twice a week to her office from his home across the Montreal River and 20 miles down Highway 51 in Saxon, Wisconsin. She is the nearest therapist to his home. No problem getting paid or reimbursed, right?
But what if she wants to save her client two 40-mile round trips each week, and conduct her sessions via SecureVideo.com, while her client remains in his home in Wisconsin? Would she be paid or reimbursed? The answer may depend upon whether she is also licensed in Wisconsin, although under certain very limited circumstances, licencees from adjoining states may practice in facilities where an office is customarily provided for them.
Historically, under Article X of the United States Constitution, each state has the authority to regulate activities that affect the health, safety and welfare of its citizens, including the practice of the healing arts within its borders. Laws governing individual health care providers are enacted by state legislatures, with authority to implement the practice acts delegated to the respective state licensing boards. A practitioner must be licensed, or follow state reciprocity rules, in order to work in a state. In light of the increasing popularity of telemedicine, licensure requirements can be complicated. A practitioner has been deemed to be “practicing” in a state when he or she is interacting with a patient who is physically present in that state, while at the same time also “practicing” in the state in which the practitioner is located. Before employing video-conferencing in the practice of any of the healing arts, the practitioner needs to ensure that his or her activity is legally sanctioned and protected.
According to Telehealth Resource Centers®, if a licensed health care provider electronically interacts with a patient in another state, the provider must be licensed or registered (but verify State-specific regulations) in each state in which he or she electronically practices. Practicing telepsychology, or for that matter any of the healing arts, without the appropriate license in the State in which one is electronically practicing may incur civil and/or criminal penalties. As noted above, under certain circumstances, such as emergencies, an exception may be made to the requirements for state licensure.
It seems clear that if our hypothetical therapist using SecureVideo.com is licensed in both Michigan and Wisconsin, she can be reimbursed and/or paid under the Rules of both Medicare and Medicaid. The Veterans Administration has different rules, however, so that, generally, if a practitioner is performing his or her duties in the course of Federal service, he or she is only required to be licensed in one state, no matter where he or she practices.
But, as noted above, due to the increasing popularity of telemedicine, “special purpose” or “limited” licenses may allow health care professionals the option of licensure for the delivery of specific health care services under particular circumstances in addition to holding a full license in the state where they primarily practice. To date, approximately 10 states have adopted some version of a special purpose license for telepsychology practice.
Bottom line? If you are considering on-line therapy, or any of the healing arts, and you anticipate using fully-HIPAA-compliant securevideo.com when dealing with clients who reside in a state different from that in which you hold your license, you should check in with your attorney and/or your licensing authority before undertaking such a delivery of services.
Stephen C. Taylor
In a story that has been developing over the past several weeks, The Guardian disclosed last week that Microsoft has been providing the National Security Agency with access to recorded data collected on Skype, which was purchased by Microsoft for $8.5 billion in 2011.
The files provided by Edward Snowden illustrate the scale of cooperation between a number of Silicon Valley companies and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.
Microsoft has collaborated closely with US intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption, according to top-secret documents obtained by the Guardian. In the past, Microsoft has been evasive when asked about the privacy of communications over its popular VOIP platform, but these disclosures have blown the lid off Microsoft’s credibility on the issue. In fact, the recent statement by Microsoft’s general counsel, attempting to rebut the Guardian’s reporting, stated that, “going forward, it assumes Skype calls will be regarded just like any other phone call – mobile or landline.”
It should now be perfectly clear that using Skype for any telemedical communications involving Protected Health Information (PHI) is a prima facie violation of the HIPAA Security Rule.
As our Chief Technical Officer has pointed out, both here and on our website, securevideo.com, we do not record any communications which use our service. All contact between practitioner and patient is direct and unmediated, so there is no way that it can be intercepted or reproduced. Your Protected Health Information is truly protected here.
Stephen C. Taylor
If your practice is currently using a medical teleconferencing service (telemed), or if you are considering using one, you should know that the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the recently-finalized (March 2013) Rules promulgated thereunder, consider the provider of such service to be a “business associate.”
The final version of the HIPAA Rules require that covered entities (that would be you) enter into contracts with their business associates (that would be us) to ensure that the business associates will appropriately safeguard protected health information. This Business Associate Agreement also serves to specify the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract, or as required by law.
A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
If you’ll pardon my side trip into the legal weeds, a Business Associate Agreement must be written, and must:
(1) establish the permitted and required uses and disclosures of protected health information by the business associate;
(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
(4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
(6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;
(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;
(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.
Elsewhere on this site, my colleagues and I have noted that Skype® is owned by Microsoft, and that Microsoft has not been forthcoming regarding the use to which they might put any information gleaned from the popular VOIP service for which they paid $8.5 Billion two years ago. Microsoft does enter into Business Associate Agreements with users of its cloud services, but when it comes to Skype, the company has been evasive. In fact, Erik Kangas Ph.D., a blogger who follows this issue, says flatly:
Skype does not claim any kind of HIPAA compliance and will not sign a required Business Associate Agreement and does not provide the tools to use Skype in a way that allows you to meet your own HIPAA compliance requirements (e.g. auditing). – http://luxsci.com/blog
Stephen C. Taylor
NSA got your data? Not from us, they didn’t.
As any of us who use the internet with any regularity know, information about us is collected every day, via cookies in our computers or loyalty cards in our wallets, by commercial enterprises, communications companies, and social media sites. They know what we eat, what we wear, what we do for entertainment, what causes we espouse, and what tricks our cats can do.
Amid all the furor over metadata collection by the NSA and other security agencies, we thought it would be helpful to our customers to once again emphasize the privacy of any communication between parties to a conversation using SecureVideo.com.
If, at any time, we are served with a request to disclose any information about any customer or that customer’s activity on SecureVideo.com, we will examine the request to determine whether a) it is lawful; b) it is not overbroad in scope; and c) there is any other way for the information requested to be obtained. If we feel that pushback is warranted, we shall do so.
It would appear that such a request would create an inherent conflict between the strictures of HIPAA and the government’s appetite for information, and I think it’s only a matter of time before the issue arises. Meanwhile, our customers should have confidence in the security of their communication using SecureVideo.com.
Stephen C. Taylor
In June of 2012, the Alaska Department of Health and Social Services agreed to pay $1.7 million to the United States Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule arising out of the loss of a portable USB thumb drive containing electronic protected health information (ePHI).
In September of 2012, Massachusetts Eye and Ear Infirmary agreed to pay HHS $1.5 million to settle potential violations of the Security Rule arising out of the theft of a laptop computer which contained a large amount of patient information.
In each case, the HHS Office of Civil Rights charged that the providers had failed to take necessary steps to comply with certain requirements of the Security Rule, including:
-conducting a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) maintained on portable devices;
-implementing security measures sufficient to ensure the confidentiality of ePHI that they created, maintained, and transmitted using portable devices; and
-adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.
Both of these cases involved the theft of devices which contained massive amounts of unencrypted patient data. There was no evidence that any patients sustained any actual damages as a consequence of the theft of any of this information, but damages are not an essential element of the violation, and as one can see, the settlements were substantial.
And lest anyone think that the HHS watchdogs only go after the big players, in January of 2013, Hospice of Northern Idaho agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule in another laptop theft case. This is the first settlement involving a breach of unsecured ePHI affecting fewer than 500 patients. It is unlikely to be the last.
The American Telemedicine Association, which advocates for wider use of telemedical technology, has projected enormous growth in the field over the next few years, and the number of companies with links on its principal website is long and varied. Most of these companies fall under the HIPAA definition of “business associates.”
A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate (emphasis added). The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. To learn more about business associate agreements, and see a template for what HHS believes such an agreement ought to contain, visit http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html?gclid=CO3k4sTB17YCFe4DOgodT0QAkw.
It seems to me that any prudent practitioner thinking about using telemed conferencing ought to be asking her or himself at this point, “What are the risks to me and my practice of using a free VOIP technology like Microsoft’s Skype®, especially if, in the future, Microsoft decides to change the company’s Terms of Service to allow them to target advertising to users based upon the content of their communications?”
It seems clear that, to be HIPAA-compliant, a videoconferencing service must be willing and able to sign a business associate agreement. Skype and other free services do not offer this. SecureVideo.com does. We also offer live technical support, which free services can’t provide. And free services simply can’t offer the superior video quality and features needed for a professional office–we can.
To learn more about SecureVideo.com, visit our website at http://securevideo.com/.
Stephen C. Taylor
By Stephen C. Taylor, General Counsel
HIPAA – or as it is formally known, the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 – substantially codified the way health information for virtually all Americans must be handled. Sections 261-264 of the law require the Secretary of Health and Human Services (HHS) to promulgate standards for, among other things, the electronic exchange, privacy and security of health information by those subject to its provisions (what the law and regulations call “covered entities”).
Virtually every health care provider in America who electronically transmits health information is a covered entity.
Nothing in the law proscribes videoconferencing, which – as my colleagues elsewhere on this site have described – can, in many instances, be a vastly more efficient method of conferring with a patient in a remote location, or with another provider in a distant location. But such teleconferencing, which has acquired the popular sobriquet of telehealth, is nevertheless subject to the requirements of HIPAA.
Some health care practitioners have considered using the popular VOIP (voice-over internet protocol) videoconferencing software known as Skype ®, which has grown swiftly in the last five years or so. One of the reasons for this spectacular growth could very well have been that its developers in Luxembourg had taken steps to make the service one of the most locked-down and encrypted services available for such communication.
But, as reported by Eric Jackson in Forbes last July, when Microsoft (MS) acquired Skype in May of 2011 for $8.5 billion, observers wondered how MS could justify paying so much for a service that most users pay nothing to use and lets them communicate for free with other users. MS responded by saying that they simply wanted to own the world leader in VOIP.
Well and good. But in June of 2011, MS was granted a patent for “legal intercept” technology designed to be used with VOIP services (like Skype) which would allow “silent copying of communication transmitted via the communication system.”
Perhaps this is pure coincidence. But the point is that, if Microsoft has changed the architecture of Skype – which they have neither confirmed nor denied, but which anecdotal evidence suggests has occurred – the use of Skype to transmit medical and health information could expose the practitioner who unwittingly does so to significant civil and criminal liability under HIPAA.
Civil penalties begin at $100 per individual instance of violation, and are capped at $25,000 per calendar year for multiple violations of the same type. Criminal penalties are tiered, depending upon the willfulness of the violation and the use to which the information is put, but the lowest tier carries a fine of $50,000 and imprisonment of up to one year.
SecureVideo.com offers a securely-encrypted environment for telehealth videoconferencing which is completely HIPAA-compliant. You can investigate further at http://securevideo.com. But don’t take my word for it. Practitioners are urged to consult your own attorney. But for heavens sake, do it before you decide to use Skype for telemedical conferencing. You could be taking a big risk.…Read More