While HIPAA may be intentionally vague to allow for technological change over time, that intentional vagueness can leave the average practitioner seeking to deliver mental health services scratching his or her head. Is HIPAA relevant when we look at using video-based telecommunications? In the US, some state laws may take precedence, but in most cases, the answer is probably yes. Several factors complicate the picture.
The first complicating factor is the issue of confidentiality in law proceedings. Unfortunately, crystal-clear answers are not likely to be forthcoming until consumers get hurt and file lawsuits that get publicized. Most lawsuits are settled out of court, and parties sign a confidentiality clause. In other words, we as consumers never get to hear about relevant cases that get brought to our court systems.
The second issue is the required time delay for US laws to get changed. Our system tries to be fair to all parties, but that involves a long and laborious process that leaves us in the partial dark for almost a decade in most instances. Take online prescription-writing as an example. Much as with online pharmacies filling prescriptions without following the standard of care, enough consumers needed to be harmed, enough lawsuits needed to be filed and finally, a bill is introduced and passed. This took over a decade with the prescription-writing issue, but the FDA is now empowered to prosecute companies for consumer harm brought about by such irresponsible action.
Aside from confidentiality clauses that prohibit us from knowing how many lawsuits are filed by injured parties, and our system’s time delays, the other confusing fact we face with HIPAA is that different attorneys often counsel us differently about the same law. In other words, what one attorney claims can be worthy of a court-based challenge by another. After all, the very essence of the US court system is the public debate (f0r a hefty fee) between attorneys arguing their views about an undefined area of law.
Where Does That leave the TeleMental Health Professional?
Confusion and disagreement reign. Mental health practitioners wanting to find new client populations to new ways to serve existing populations are left to either guess about the meaning of HIPAA, wait for clarification, or take their chances of possibly harming a patient and/or having their malpractice insurance fail to cover them for “practicing illegally.”
How Are Mental Health Practitioners Responding?
On one end of the spectrum are professionals, both licensed and unlicensed who claim that HIPAA is not relevant to telecommunication video interactions with clients or patients. Some of these people state that even if HIPAA compliance is an issue, public VoIP platforms already have met HIPAA compliance requirements by being more than 128-bit encrypted. They consider themselves safe or safe enough, and many of them are already practicing on the open, public Internet, using systems such as Oovoo, Google Talk, Skype or any of a number of other VoIP video platforms.
At the other end of the spectrum are professionals who are more conservative. They seem to be choosing to either wait for more secure systems to be developed, or work in institutional settings where using equipment with stated HIPAA complaint technologies.
Is HIPAA Compliant Technology Available?
Unbeknown to many practitioners, platform developers who have met specific standards are making it amply clear that they have met or exceeded HIPAA requirements, whether they are high-end systems such as Tanberg or Polycom, or more recently available systems such as were evident at the American Telemedicine Association (ATA) meeting in May of 2010 in San Antonio.
Some telehealth video platform developers even made their compliance a feature on their exhibit booth banners. Here is an image of one such vendor’s exhibit booth banner at the ATA conference in May, 2010:
Many more vendors claiming HIPAA compliance were also on the ATA exhibitor floor. While few are available through the open Internet, and those who offer Virtual Private Networks (VPNs) are starting to surface online. Until these systems are tested for our populations however, it would be irresponsible for me to say one company stands out from the others. I will devote some of my next posts to describing the less expensive of these industry leaders.
What’s My Stance?
My position is on the more conservative end of the spectrum. I suggest to my audiences and consulting clients that they only use systems that openly and publicly announce their products and services as being “HIPAA compliant.” If a U.S.-based company isn’t claiming HIPAA compliance, my tendency is to recommend against using them for the delivery of telepsychiatry, telepsychology, online therapy or online counseling in the U.S., until they make claims for which they can be held accountable by our federal consumer protection agencies. That includes email, chat rooms, telephone or videoconferencing.
Those are my views. Might you provide additional information that could help me see it differently? Please comment below.