by Michael Griffin, JD, LCSW
Staff Attorney
The Therapist 
November/December 2015

---

Therapists who provide services to their clients via telehealth¹ often utilize“Skype,”a free and popular software application that allows individuals to utilize videoconferencing to communicate over the Internet.² What many therapists may not realize, however, is that Skype is generally not considered to be compatible with the requirements of HIPAA.^{3 4} Therapists who are HIPAA-covered entities need to understand why this is so, and more importantly, what their options are. The good news is that a number of HIPAA compliant alternatives to Skype do exist.

Does HIPAA apply to you? 
It is important to remember that HIPAA only applies to organizations and providers who qualify as “covered entities.” Covered entities are defined as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit private health information (“PHI”) in connection with certain administrative or financial transactions known as “covered transactions.”5 Examples of typical covered transactions by health care providers include the use of the Internet to electronically transmit insurance claims, conduct benefit eligibility inquiries, or to make referral authorization requests.^{6 7}

The mere use of electronic technology to provide telehealth services does not transform a health care provider into a covered entity and therapists who are not covered entities do not have to comply with the HIPAA requirements addressed in this article. As of October 6, 2015 the Board of Behavioral Sciences is still in the process of formulating regulations that apply to California-licensed therapists, interns, and trainees who provide therapeutic services via telehealth.

Key issues 
Therapists who are covered entities and wish to provide telehealth in a HIPAA compliant manner should be familiar with the meaning of “business associates,” “technical safeguards/ encryption,” and the relevance of the HITECH Act.

Is Skype a “business associate” under HIPAA? 
A business associate is a person or entity that performs certain functions on behalf of, or offers services to, a HIPAA-covered entity, involving the use or disclosure of individually identifiable health information.⁸ When a covered entity utilizes the services of a business associate, HIPAA requires the covered entity to ensure that the business associate will safeguard the patients’ PHI by means of a business associate agreement (“BAA”).⁹ A BAA serves to clarify and limit the use and disclosure of PHI, and the content of a BAA depends upon the relationship of the parties and the nature of the services that are performed by the business associate.^{10 11}

A key issue in this discussion is whether any provider of Internet videoconferencing technology (including Skype) should be considered to be a “business associate” of a health care provider, according to HIPAA. As a general rule, it would be expected that a covered entity obtain a BAA with the Internet technology provider, unless the technology provider was subject to something known as the “conduit exception.” Under the conduit exception, if the technology provider did not access the PHI involved and was acting merely as a “conduit” for the transmission of information, (like the US Postal Service, or a private courier), HIPAA would not consider the technology provider to be a business associate of the covered entity and a BAA would not be required. The primary reason that Skype is a problem for HIPAA-covered providers is that Skype considers itself only to be a conduit for information and will not provide a BAA to providers who use its services for telehealth.^{12 13 14 15} Skype’s contention is the subject of some debate, however, and various individuals have challenged whether Skype (or other similar Internet service providers,) truly qualify under this exception.¹⁶

HIPAA requires appropriate technical safeguards
HIPAA security standards require the use of appropriate technical safeguards, which are defined as the technology and related policies and procedures that protect electronic PHI.¹⁷ HIPAA does not require the use of specific technology and a covered entity is free to determine the reasonable and appropriate technology to use in a given circumstance.¹⁸ A standard technical safeguard for platforms that provide videoconferencing services for health care providers is the use of encryption, which is a method of converting an original message into encoded text that can be later decrypted and made readable.¹⁹ Internet technology providers who state that they are HIPAA compliant, and who provide a BAA to covered entities who use their services for telehealth are expected to implement appropriate encryption consistent with the requirements of HIPAA.²⁰

The HITECH Act requires business associates to comply with HIPAA’s security provisions 
The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.²¹ Under HITECH, HIPAA’s security provisions, (including administrative, physical and technical safeguards), were applied to business associates, in addition to covered entities.²² This fact alone is a compelling reason for covered entities to utilize the services of an Internet technology provider who is willing to provide a BAA, over one such as Skype, who does not.

Conclusions and alternatives 
It is easy to understand why Skype is a popular source of videoconferencing technology. It is convenient, economical and familiar to many users, is widely available, and it is encrypted. The problem is that, unlike a number of other videoconferencing providers, Skype does not say that they are HIPAA compliant, and they do not offer a business associate agreement for covered entities who want to use Skype to provide telehealth services. This is especially noteworthy in light of the HITECH Act, which articulates the requirement that business associates have a responsibility to protect and secure PHI and to take appropriate action in the event of a breach.²³ While it seems unlikely that a breach of PHI would occur during a telehealth session, in the event of such an occurrence, it would be comforting to a covered entity to know that he or she had an existing BAA with a technology company that was HIPAA compliant.

HIPAA-compliant resources are available
Fortunately, there appears to be an everincreasing number of companies who offer HIPAA-compliant videoconferencing solutions for telehealth. A recent Internet search on this topic revealed numerous options, including plans which are tailored to the needs of sole practitioners. Several companies offer free product trials, or demonstrations, so a provider can assess whether the technology is user friendly and compatible with the needs of his or her practice. Products vary, and may include related practice-management services, such as the ability for clients to schedule sessions, send secure messages to clients, and/or, to provide payments on-line for services rendered.

The following is a partial list of Internet technology providers who offer HIPAA compliant platforms for telehealth services, including a BAA²⁴:

VSee: http://vsee.com Offers a plan for solo practitioners for $45.00 per month.

SecureVideo: https://securevideo.com Offers plans for single clinicians priced from $25.00 per month.

Thera-link: https://www.thera-link.com/ Offers plans for single practitioners for $30.00 per month; $85.00 per month for 2-10 providers.

CounSol.com: https://counsol.com Offers “practice management plus” plan which includes secure email, appointment making, billing, secure record storage, etc., for $59.95 month.

Doxy.me: https:doxy.me Offers HIPAA compliant audio/video communications, including live chat. Cost is free.

WeCounsel.com: http:www.wecounsel.com Offers a plan that includes practice management services such as secure messaging, billing, document storage, etc., for $14.99 month.

---

Michael Griffin, JD, LCSW, is a staff attorney at CAMFT. Michael is available to answer member calls regarding legal, ethical, and licensure issues.

---

Endnotes

¹Bus. & Prof. Code, 2290.5(a)(6),“Telehealth” is the mode of delivering health care services and public health via information and communication technologies to facilitate the diagnosis, consultation, treatment, education, care management, and selfmanagement of a patient’s health care while the patient is at the originating site and the health care provider is at a distant site.

² Information regarding Skype is available at: www.skype.com

³ 45 CFR 164.102 Health Insurance Portability and Accountability Act of 1996

⁴ See, Zur, Ofer, Ph.D.,(2014).”Utilizing Skype and VSee to Provide TeleMentalHealth, E-Counseling, or E-therapy. Reviewing the debate on Skype & HIPAA Compliance and Introducing the VSee Option,” available at: http://www.zurinstitute.com/ skype_telehealth.html

⁵ 45 CFR 160.103

⁶ Id.

⁷ For further information on the topic of covered entities, see: Jensen, David, JD, “Are you a covered entity?” The Therapist, July/ Aug., 2010. Covered Transactions include: Electronic billing to a health plan for services rendered; An inquiry regarding a patient’s eligibility, coverage, or benefits, and the carrier’s response; A request for authorization of treatment and the carrier’s response; An inquiry regarding the status of a health care claim and the carrier’s response; Transmission of payments and payment information from a health plan to a provider; Transmission of explanation of benefits information from a health plan to a provider; and Transmission of information to a health plan for coordination of benefits.

⁸ 45 CFR 160.103

⁹ 45 CFR 164.504(e)

¹⁰ A clear explanation of business associate contracts, including sample language, is available at: http:www.gov/ocr/privacy/hipaa/ understanding/coveredentities/contractprovisions.html

¹¹ For further information on the topic of business associates, see: Kashing, Sara, JD, “Neither You Nor Your Business Associates Can Afford to be Lax Complying With HIPAA Requirements,” The Therapist, July/August, 2012.

¹² Id. A business associate’s functions or activities on behalf of a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, including claims processing and billing, and utilization review. By definition, a “conduit” is an entity that does not access PHI, other than as necessary for the performance of the transportation service or as required by law. Persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information (“PHI”) or, where their access to PHI would be incidental, if at all.

¹³ Id. An employee of the covered entity does not qualify as a business associate.

¹⁴ 45 CFR 160.103

¹⁵ Hearing before the House Subcommittee on Health and Technology, July 31, 2014, citing statement regarding Skype on www.onlinetherapyinstitute.com, (2011).

¹⁶ Zur, Ofer, Ph.D, Supra. One concern is the degree of access that Skype has to the data being transmitted.

¹⁷ 45 CFR 164.304

¹⁸ Id.

¹⁹ In light of the fact that encryption is widely available, providers should consider the use of encrypted technology when appropriate and reasonable to do so, but it is not specifically required

²⁰ 45 CFR 164.312(a)(2)(v)

²¹ 45 CFR Part 160

²² For further discussion of the HITECH Act, see, Jensen, David, JD, “President Obama Extends HIPAA’s Reach and Alters the Healthcare Landscape,” The Therapist, July/Aug., 2009 (updated 2012).

²³ 45 CFR Part 160

²⁴ CAMFT does not endorse, represent, or accept responsibility for the products listed.