HHS announced last year that they were lightening restrictions on the videoconferencing service you use to deliver telehealth services. They explicitly cite “Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype” [emphasis added] as copacetic with emergency-time HIPAA rules.
Yes, I just said that Facetime, Skype, and friggin’ Facebook Messenger Video are explicitly mentioned as compatible with your HIPAA compliance for so long as the COVID-19 state of emergency is in effect.
Everyone needs telehealth right now. And I don’t mean “everyone” in a hyperbolic way. I mean, everyone.
Wait, so Facetime is “HIPAA Compliant”?
Sort of.
I quote to you from the relevant guidance on the HHS site, findable here:
OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.
…
Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
That’s way more clear than the HIPAA people typically get. They’re serious about this.
And to show just how serious they are, they even weigh in on whether it’s acceptable to do therapy via Tiktok! (Hint: it’s not.)
Under this Notice, however, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
Okay, We Can Use Skype or Facetime Now. But Should We?
I think that’s the sixty-four thousand dollar ethics question. Skype does present some real privacy risks. Facetime is much better, but Apple might know who is talking to whom (even if they know nothing about what you said during the call.)
This is the point where I think it’s worth noting another item from the guidance:
…including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype… Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
I think that means we can’t use World of Warcraft as a therapy medium, either. Shame.
Meeting Clients Where They Are
Ever since the beginning of March in 2020, we’ve been quite worried about older seniors living in care facilities. For their own protection, family are social distancing from them. Or the family is being barred from visiting. Liath, our Deputy Director, has spoken with many therapists who are highly concerned that older seniors won’t be able to operate typical videoconferencing software to receive services.
Following that thread: I’m imagining an older senior who has an iPhone. If they often use it to talk to kids and grandkids by phone, it’s just one button push away to do so by Facetime. Setting up any other videoconferencing option would require quite a few more steps.
In a time when everyone needs telehealth, the value of choosing an option which is more likely to be usable by a client goes up dramatically. Thus the risk-benefit analysis on using less rigorously-secured software options looks far more favorable to those less secure options. In my opinion. :)
So What Should We Use?
Here’s a list of options I think would be good. The list is probably not exhaustive. We will likely add to it over time.
- Google Meet — preferably on your GSuite account where you have a Business Associate Agreement in place. That has actually been HIPAA-friendly for a very long time.
- VSee or Doxy.me paid tiers. Start paying, and they can in turn pay to increase their capacity.
- Your practice management system’s telehealth feature, if it has one.
- Spruce Health.
- Zoom — preferably Zoom for Healthcare with a BAA.
I personally think Facetime’s privacy protections are sufficient to make it usable under this special circumstance without sacrificing that much — when clients would prefer it. Make sure clients know that while your conversations are quite private, Apple can likely know that you and the client did a call together. Also bear in mind that you have to log in to Facetime with an Apple ID. Make sure you use the Apple ID that you want to use with your practice. Remember that you and your client would both need to have Apple products in order to use Facetime.
Personally, I would draw a line against using anything owned or operated by Facebook. That includes Facebook Messenger and WhatsApp.
How Long Will This Last?
It will end when the federal PHE (Public Health Emergency) ends. But I’m curious if this decision will have an impact on future HIPAA rule making. It just might!