With the growing popularity of telemental health, it’s a wonder that it isn’t easier to identify which software is best to use to perform these services. Here I will try to provide some clarity on that subject.
What Video Software Should I Use?
When choosing software, we need to consider if it is secure enough to meet ethical and legal standards, if it plays well with the HIPAA Business Associate rule, and if it has the features we need.
“HIPAA Nothin’!”: Our Ethics Codes Have Plenty To Say About Electronic Security
When we think about mandates around “digital confidentiality,” as I like to call it, we tend to think of HIPAA. However, this is as much an ethical issue as a legal one. All the major professional ethics codes ask us to use security measures when dealing with electronic client data. National ethics codes that call for protection specifically of electronic info include the AAMFT, ACA, APA, NASW and NBCC codes.
The HIPAA Security Rule also contains a basic mandate that we must secure our “electronic protected health information.” Specifically, The HIPAA Security Rule defines a standard called the Transmission Security standard:
[Covered entities must] Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(US Dept. of Health and Human Services, 2006) Emphasis mine
I emphasized the word “technical.” “Technical” security measures would be stuff you do with software or hardware to protect sensitive information.
In the case of videoconferencing software, we’re looking at needing software that encrypts the calls and that requires that everyone involved in the call authenticate themselves (“authenticate” is a fancy way of saying that they have to prove they are who they claim to be.)
When HIPAA Does and Doesn’t Matter
Alert readers may have noticed in the above HIPAA quote the words, “covered entity.” That is a piece of HIPAA jargon that refers to any person or group that is legally required to comply with HIPAA. Simply being a health care professional does not automatically make one a HIPAA covered entity. For more information, see our article on HIPAA covered entity status.
HIPAA doesn’t always rule the roost, however.
As stated above, all the professional guidelines regarding telemental health, and the American Counseling Association’s code of ethics, require us to use secure communications for therapeutic exchanges regardless of requests to the contrary or waivers from clients (ACA, 2014; APA, 2013; NASW & ASWB, 2017; NBCC, 2012).
Licensing boards often have something to say on the issue, as well. For example, my licensing board specifically requires encryption for therapeutic exchanges in their rules regarding Distance Counseling. (Oregon Board of Licensed Professional Counselors and Therapists, 2011)
Additionally, at the time of writing, at least 47 US states, as well as Puerto Rico and the Virgin Islands, all have their own laws regarding what businesses must do to prevent data breaches, and what sanctions are possible in the case that a data breach occurs. (Mintz Levin, 2016) Unless you practice in one of the very few states without such a law, HIPAA would not be the only authority that creates legal incentives to use strong technical measures to protect your electronic communications with clients.
This means that even if one is not a HIPAA covered entity, ethics codes, professional guidelines, and state laws and licensing boards would agree that performing telemental health services always indicates the use of services that employ strong security measures at both the software level and the company level to keep call data secure.
HIPAA Business Associates and the “Conduit Exception”
In short, HIPAA Business Associates are persons or companies who provide services for your practice wherein they handle your protected health information. HIPAA requires us to execute a Business Associate Agreement with such folks in order to be in compliance. For details, see What is a HIPAA Business Associate Agreement?.
The 2013 HIPAA Omnibus Final Rule tightened the Business Associate rule and gave Business Associates greater responsibilities. The result was a reduction in options around which cloud-based services we can use and still remain HIPAA compliant.
An important part of the BA rule is the “conduit” exception. This allows companies that only move your protected health information from one place to another to perform this service without taking on a BA relationship with you. The classic examples of conduits are the US Postal Service and other courier services, as well as Internet Service Providers – the companies that provide your Internet connection. Because of the conduit exception, none of these groups are HIPAA Business Associates.
The 2013 HIPAA Omnibus Final Rule tightened the conduit exception. The Office of Civil Rights (the “HIPAA people”) made it clear that just moving info from one place to another is not enough to make a service qualify for the Business Associate rule’s conduit exception. They have to also be unable to look at the data as they move it. In other words, the info being moved has to be encrypted, and the company has to not have the ability to unlock the encryption. (Reinhardt, 2013)
Many people have argued that Skype and FaceTime would be acceptable for HIPAA covered entities to use because they supposedly qualify for the conduit exception. However, both Skype and FaceTime make it possible for the companies that operate them to see and hear your calls. The fact that they can do so means that they do not qualify for the conduit exception to the Business Associate Rule. This is perhaps the most compelling reason why Skype and FaceTime are not viable for telemental health under HIPAA.
In my consulting experience, I have also seen many other companies try to claim that their software is acceptable for HIPAA covered entities because the company is a “conduit.” Even if the claim is legally accurate, by claiming to be conduits they are rejecting legal responsibility under HIPAA for the security of your data. We advise all health care professionals to avoid working with companies that do this.
Remember that Business Associate relationships are between clinicians and the companies that qualify as our BAs. The client is not a part of that equation. Thus, client consent or preference has no bearing on whether or not we’re required by HIPAA to get a Business Associate contract with a given company.
Do I Have to Use Expensive Software to Do Telemental Health, Then?
Affordable, and sometimes free, options are available. These options meet the security standards set by the National Institutes for Standards and Technology, but are just as easy and affordable as Skype or Facetime. As such, there is no reason to use either of those consumer technologies. We have reviews of free options that work well here: Free Online Therapy Software Options.
Even though there are free options that meet the needs of telemental health professionals, however, free is not always the best way to go. There are many platforms for doing telemental health that are quite affordable. You often also get extra features such as secure billing, secure messaging with clients, and other features helpful to the delivery of services. These platforms can be a good investment in creating a solid telemental health practice. For browsing available platforms, I generally recommend Jay Ostrowski’s Telemental Health Comparisons website.
What Features Do I Need In Video Software?
The American Telemedicine Association published a guideline in 2009 that includes some recommended standards regarding what video software should be able to do, where possible, when used for telemental health. Several of the features they described require that there be special hardware on the client’s side of things. Generally, we would need to be doing clinic-to-clinic telemental health for that to be possible, so those features won’t be discussed here.
Many of the ATA’s other recommendations, however, can be met by software used for delivering service to clients in their homes. Thus we can look for those features in the software we choose. Here is a sampling of the more important features to look for according to the American Telemedicine Association’s 2009 guidelines.
1. View and share a computer desktop or applications.
This means the software can allow call participants to selectively show each other what is currently on their computers. Professionals often use this to collaboratively make notes or do exercises with clients.
2. Record meetings when clinically appropriate and with patient permission.
Depending on your needs as a clinician, this can be a deal-breaker. Most clinicians under supervision, for example, need to be able to record sessions.
3. Share information on a common white board or via computer files.
Many programs accomplish the “white board” through interactive screen sharing (item 1.) Most software apps also allow call participants to securely send each other files. For most telemental health professionals, this secure file sharing through the video software is seen as essential. It is possibly to work without it, however. For example, you could also use a secure email service to exchange files with clients.
4. Ease of use with minimum operator training.
This is a must not just for clinicians, but also for clients. Even if your technical proficiency is high, delivery to the home means the client must handle many of their own technical needs.
For this reason, quite a few clinicians only use video software services that offer live, 24-hour tech support (note that some of the free options don’t offer technical support — but some, surprisingly, do!) Some therapists feel comfortable providing that support themselves. Online group therapists generally see technical support as a must-have, however, since they can’t troubleshoot one participant’s problems while working with the rest of the group.
5. On screen messages to notify the user of such conditions as loss of far end video, incomplete or dropped connections, mute/unmute etc.
This feature allows both clinician and client to know the current conditions of the call, especially if the Internet connection is going bad. Bad connections can mean choppy video or audio or even a dropped call. Professionals should be careful to avoid delicate clinical interventions when the software’s indicator is showing that the call connection is going through a rough patch.
This point is also saying the software should clearly indicate when either participant in a call has been muted. We can infer that the same goes for indicating if any participant’s camera has been turned off.
6. Ability to operate at a bandwidth of 384 Kbps or higher.
This means the software should be able to work with a somewhat slow Internet connection. Internet connection speed is prone to a lot of different conditions. The more your software is able to work with lower Internet speeds, the fewer interruptions or “glitches” you’ll experience during sessions.
Remember that the guideline is from 2009, and the specific number of “384 Kbps or higher” may not be especially relevant anymore. What is important is that the software should have some ability to work with low Internet speeds, and to “roll with the punches” when the Internet connection hits slow patches or experiences lag.
It should be apparent that choosing the right video calling service is something that is somewhat personal to each professional’s technical needs. It should also be apparent that consumer products like Skype and FaceTime are no longer viable or sensible to use.
Making the right choice could require some up-front time investment, but we assure that it will be well worth it when your sessions run smoothly, your tools are working well for you, and you are confident that your choices are good for your professional practice and the safety of your clients!