Whoa. Up is down. Dogs and cats are living together. Everything is topsy-turvy, everyone! (But for a good reason.)
HHS just announced today that they are lightening restrictions on the videoconferencing service you use to deliver telehealth services. They explicitly cite “Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype” [emphasis added] as copacetic with emergency-time HIPAA rules.
Yes, I just said that Facetime, Skype, and friggin’ Facebook Messenger Video are explicitly mentioned as compatible with your HIPAA compliance for so long as the COVID-19 state of emergency is in effect.
I’ve been working much of the day on trying to incorporate this into my schema of understanding the world. It’s a bit rough to do after 10 years of constantly discouraging people from Skype and Facetime for telehealth. But there’s a good reason for this change.
Everyone needs telehealth right now. And I don’t mean “everyone” in a hyperbolic way. I mean, everyone.
Our favorite free, HIPAA-friendly videoconferencing services are straining to support all the traffic on their free tiers. We need to spread the traffic around. We also need to make sure we can literally meet clients where they are with software that the client can and will use. (But don’t get too complacent — more on that later.)
I Don’t Believe You. Prove It.
I quote to you from the relevant guidance on the HHS site, findable here:
OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.
Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
That’s way more clear than the HIPAA people typically get. They’re serious about this.
And to show just how serious they are, they even weigh in on whether it’s acceptable to do therapy via Tiktok! (Hint: it’s not.)
Under this Notice, however, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.
Okay, We Can Use Skype or Facetime Now. But Should We?
I think that’s the sixty-four thousand dollar ethics question. Skype does present some real privacy risks. Facetime is much better, but Apple might know who is talking to whom (even if they know nothing about what you said during the call.)
This is the point where I think it’s worth noting another item from the guidance:
…including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype… Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
I think that means we can’t use World of Warcraft as a therapy medium, either. Shame.
Reducing the Load
I think one good reason to turn to less rigorously secure options is to spread some of the load around different services. If we’re still thoughtful about what alternatives we use and why, we can do this without putting clients at an excess of additional risk.
Meeting Clients Where They Are
Ever since the beginning of March, we’ve been quite worried about older seniors living in care facilities. For their own protection, family are social distancing from them. Or the family is being barred from visiting. Liath, our Deputy Director, has spoken with many therapists who are highly concerned that older seniors won’t be able to operate typical videoconferencing software to receive services.
Following that thread: I’m imagining an older senior who has an iPhone. If they often use it to talk to kids and grandkids by phone, it’s just one button push away to do so by Facetime. Setting up any other videoconferencing option would require quite a few more steps.
In a time when everyone needs telehealth, the value of choosing an option which is more likely to be usable by a client goes up dramatically. Thus the risk-benefit analysis on using less rigorously-secured software options looks far more favorable to those less secure options. In my opinion. :)
So What Should We Use?
Here’s a list of options I think would be good. The list is probably not exhaustive. We will likely add to it over time.
- VSee or Doxy.me paid tiers. Start paying, and they can in turn pay to increase their capacity.
- Your practice management system’s telehealth feature, if it has one.
- Spruce Health.
- Zoom — preferably Zoom for Healthcare with a BAA.
- Signal. Signal has a videoconferencing option. This has likely always been HIPAA-friendly, but is now even more relevant.
- Google Meet — preferably on your GSuite account where you have a Business Associate Agreement in place. That has actually been HIPAA-friendly for a very long time.
I personally think Facetime’s privacy protections are sufficient to make it usable under this new guidance without sacrificing that much — when client’s would prefer it. Make sure clients know that while your conversations are quite private, Apple can likely know that you and the client did a call together. Also bear in mind that you have to log in to Facetime with an Apple ID. Make sure you use the Apple ID that you want to use with your practice. Remember that you and your client would both need to have Apple products in order to use Facetime.
Personally, I would draw a line against using anything owned or operated by Facebook. That includes Facebook Messenger and WhatsApp.
How Long Will This Last?
Who knows? It will certainly end if the declared state of emergency ends. But I’m curious if this decision will have an impact on future HIPAA rule making. Everything is in flux right now. It’s an exciting time, for sure.
Please, do take care of yourselves and each other. And happy telehealth-ing!