1. Skype is proprietary software, so we do not have ready access to behind-the-scenes information.
2. HIPAA was intentionally written as a document that is meant to evolve as technology evolves.
3. HIPAA consists of three “rules.” They are complementary, but often confusing. They include the transactional rule, the security rule, and the privacy rule. Many professionals are only aware of one of these rules. Before practicing online, good legal advice is warranted.

We then, are trying to delineate a yes/no answer that involves two factors  that are impossible to quantify.

“On the Internet you have no privacy, get over it .” (CEO of Cisco Systems)

Skype is unavailable for scrutiny by the Internet community because it is proprietary.  The fact that is owned by eBay could give many health care practitioners significant pause. EBay has a long history of cooperating with law enforcement agencies that want to access information about specific users.

Practitioners are usually cognizant of the fact that we are the guardians of confidentiality or privilege for our patients. Nonetheless, the fact that a patient is willing to sign a website disclaimer does not relieve us of our duty to protect the confidentiality and privilege of our patients, who have entrusted us to protect their best interest. However paternalistic this may sound, it is the way health care is delivered in this country.

Perfect paranoia is perfect awareness – Stephen King

HIPAA was first enacted in 1996. It regulated many areas that had previously been left to the individual judgment of practitioners. Because it involved technologies that were as yet not built as well as not yet conceived, it had to be written in a way that left room for innovation. The wording of many provisions was intentionally vague. For instance, in one part of the document it states that the required encryption level is 128 bits. This has led to a lot of confusion, particularly when people go to websites such as Skype’s and find that the encryption code that Skype boasts is 256 bits. Is it all that simple?

The real question for us is professionals is, “What else might come into play?”

If they are not willing to document their fitness for healthcare delivery in terms of HIPAA compliance as other vendors have done for years in the telemedicine world, are we safe as healthcare practitioners to be using their technology for patient contact?

Here are a few specific areas of concern:

1. Are practitioners responsible if Skype has a security breach that compromises the confidentiality of the patient during a session? For this answer, it’s important to look at the rest of HIPAA’s requirements.  A “covered entity” must assemble and document a risk management plan reflective of an accurate understanding of the risks. How many of us are capable of doing that with respect to Skype? Other vendors will do that for us if they advertise their technology as being “HIPAA compliant.”  Furthermore, if vendors who claim HIPAA compliance have a security breach, they must notify us under HITECH Law. Since Skype does not claim to have HIPAA compliance how are we to know if a breach occurs?

2. The remaining question then, as I detailed in an earlier post, is if we as practitioners are entrusted to protect the confidentiality or privacy of our patients, is it right for us to ask them to sign away that right, particularly when Skype is very clear in its website that security flaws do exist. Privacy for example on the Skype website is protected by a name and password. We all know that hackers delight in developing ingenious techniques to uncover usernames and passwords. It has also been well documented that people on the Internet are lax in developing strong usernames and passwords, rather, they use names of their pets or their birthdays, much of which can be easily guessed by people who know them.

3. Skype also uses the history file that records all communication. In October of 2005 a pair of security flaws reportedly were discovered, making it possible for hackers to use hostile code on some computers running a compromised version of Skype. What’s to prevent this from happening with our patients?

4. What about reliability? For those of us who use Skype on a regular basis, it’s common knowledge that Skype can easily drop a call two or three times during any 30 to 45 minute conversation. What would happen if a distraught patient were trying to communicate an important message to you, and the call were to get repeatedly disconnected? Are you responsible for what might happen? Are you responsible for the frustration potentially generated in that patient? If you have had the patient sign a consent form outlining this possibility, do you think that consent would hold up in a court of law?

5. Different parts of HIPAA specify different requirements. For the 18 “identifiers” that are prohibited in any technology-based exchange that is not documented as fully protected for PHI, see here.

Those are my views. Please comment below if you either agree or disagree.

The first complicating factor is the issue of confidentiality in law proceedings. Unfortunately, crystal-clear answers are not likely to be forthcoming until consumers get hurt and file lawsuits that get publicized. Most lawsuits are settled out of court, and parties sign a confidentiality clause. In other words, we as consumers never get to hear about relevant cases that get brought to our court systems.

The second issue is the required time delay for US laws to get changed. Our system tries to be fair to all parties, but that involves a long and laborious process that leaves us in the partial dark for almost a decade in most instances. Take online prescription-writing as an example. Much as with online pharmacies filling prescriptions without following the standard of care, enough consumers needed to be harmed, enough lawsuits needed to be filed and finally, a bill is introduced and passed. This took over a decade with the prescription-writing issue, but the FDA is now empowered to prosecute companies for consumer harm brought about by such irresponsible action.

Aside from confidentiality clauses that prohibit us from knowing how many lawsuits are filed by injured parties, and our system’s time delays, the other confusing fact we face with HIPAA is that different attorneys often counsel us differently about the same law. In other words, what one attorney claims can be worthy of a court-based challenge by another.  After all, the very essence of the US court system is the public debate (f0r a hefty fee) between attorneys arguing their views about an undefined area of law.

Where Does That leave the TeleMental Health Professional?

Confusion and disagreement reign. Mental health practitioners wanting to find new client populations to new ways to serve existing populations are left to either guess about the meaning of HIPAA, wait for clarification, or take their chances of possibly harming a patient and/or having their malpractice insurance fail to cover them for “practicing illegally.”

How Are Mental Health Practitioners Responding?

On one end of the spectrum are professionals, both licensed and unlicensed who claim that HIPAA is not relevant to telecommunication video interactions with clients or patients. Some of these people state that even if HIPAA compliance is an issue, public VoIP platforms already have met HIPAA compliance requirements by being more than 128-bit encrypted. They consider themselves safe or safe enough, and many of them are already practicing on the open, public Internet, using systems such as Oovoo, Google Talk, Skype or any of a  number of other VoIP video platforms.

At the other end of the spectrum are professionals who are more conservative. They seem to be choosing to either wait for more secure systems to be developed, or work in institutional settings where using equipment with stated HIPAA complaint technologies.

Is HIPAA Compliant Technology Available?

Unbeknown to many practitioners, platform developers who have met specific standards are making it amply clear that they have met or exceeded HIPAA requirements, whether they are high-end systems such as Tanberg or Polycom, or more recently available systems such as were evident at the American Telemedicine Association (ATA) meeting in May of 2010 in San Antonio.

Some telehealth video platform developers even made their compliance a feature on their exhibit booth banners. Here is an image of one such vendor’s exhibit booth banner at the ATA conference in May, 2010: 

Many more vendors claiming HIPAA compliance were also on the ATA exhibitor floor. While few are available through the open Internet, and those who offer Virtual Private Networks (VPNs) are starting to surface online. Until these systems are tested for our populations however, it would be irresponsible for me to say one company stands out from the others. I will devote some of my next posts to describing the less expensive of these industry leaders.

What’s My Stance?

My position is on the more conservative end of the spectrum. I suggest to my audiences and consulting clients that they only use systems that openly and publicly announce their products and services as being “HIPAA compliant.” If a U.S.-based company isn’t claiming HIPAA compliance, my tendency is to recommend against using them for the delivery of telepsychiatry, telepsychology, online therapy or online counseling in the U.S., until they make claims for which they can be held accountable by our federal consumer protection agencies. That includes email, chat rooms, telephone or videoconferencing.

Those are my views. Might you provide additional information that could help me see it differently? Please comment below.

~

Marlene M. Maheu, Ph.D. is the Executive Director of the TeleMental Health Institute, Inc., offering a Certificate training program in Telemental Health for telepsychiatry, telepsychology, telesocial work, and online counseling.  Academic books authored by Dr. Maheu and colleagues include eHealth, Telehealth and Telemedicine and The Mental Health Professional & the New Technologies.

~~

Thought I’d warn you of a thing that’s apparently going around in Skype.

I had my Skype account hijacked, The hijacker changed my password and email
address that was associated with my account so I could not get into the
account again myself.

Then they placed phone calls and charged the credit card that’s on file for
autobill with Skype.

It apparently started when I received a file attachment from a known
business contact that looked like an image file but wouldn’t open after I
downloaded it.

Skype customer service helped me out with it, but it’s a pain. Be careful
with attachments – even if they come from trusted sources! If you don’t know
what is being sent, confirm via text message before downloading anything!

~~

I had the same thing happen to me with Chat rooms, where I would be in the room and receive messages from someone else who was posing as ME, teasing ME about SECURITY while I was talking to my world-wide programming staff.  That made me shy away from even thinking about using chat rooms with patients.

Now the report above is being circulated out of the blue from one of my other listservs.

I know SKYPE is supposedly encrypted way above HIPAA requirements, , but one does have to stop and wonder how those passwords were obtained. Was someone using an unencrupted wireless connection when they tried to acces their SKYPE account at some point?  Were they in a cafe and not thinking that someone esle might have set up a phishing operation across that cafe house wall?

What lesson does this event hold for us as practitioners? Should we include a statement in our consent forms that stipulates that clients/patients should not use wireless networks when entering their SKYPE address if they every want to use SKYPE for mental health treatment? How responsible are they vs. us if they “forget” and their confidentiality is violated?  Are we at fault even if we asked them to sign a consent form addressing this issue?

Am I missing the point? Is there another way someone might have gotten those SKYPE passwords? Please comment below.

Does their licensure signify that they are indeed competent and operating legally/ethically as many consumers would believe? Or does it simply mean that they are simply running ahead of the law, taking advantage of an overburdened legal system that cannot keep up with the rapid pace of technological advancement? Are they taking their chances because they know that licensing boards are severely overworked, sometimes employed by states that are financially strapped, and that consumers often need to file a significant number of complaints before even an informed licensing board can take action? Are they just trying to make a fast and much easier buck than in their face-to-face practices? Or is this just all one big misunderstanding? If it is a misunderstanding, whose job is it to know and disseminate the facts?

Before I offend too many of my loyal readers, let me say that ask the questions I am asked by my readers at SelfhelpMagazine, and I hope to assist rather than point to any specific professional or business online. I also will speak only to mental health websites in particular, because this is  my area of specialty.

In reviewing a large number of websites for mental health practitioners offering “online counseling” or “online therapy,” it’s obvious that there’s a fair amount of confusion or misinformation (or what else?) about licensure,  and even among licensed professionals.

This is an interesting phenomenon, especially because licensure means that some point in time, those licensed professionals understood the law clearly enough that they passed the test designed to document their understanding of state law, particularly state law related to where it is legal to practice.

As we detailed in our last text book, The Mental Health Professional and the New Technologies: A Handbook for Practice Today, licensed mental health professionals need to be licensed in the state of residence of the client or patient.

In other words, professionals selling their services to Internet sites by claiming they are “licensed” may very well be misleading consumers, who may trust that they are more protected when seeing  a licensed practitioner.

While indeed, licensure signifies that the professional has demonstrated to an objective third party that they have at least a minimal level of competence, the fact that these particular professionals are announcing to the world (and their local licensing boards) that they are open for business to treat anyone who calls them from their Internet site, lets us all know that they are not as competent (or perhaps just not as informed?) as most consumers would like to believe.

After all, just how informed are they if they don’t realize that they’re in effect advertising that they are either licensed in all 50 states (and anywhere else in the world where local licensure is required), or that they are practicing over state lines without a license?

Now there might be some online counselors or online therapists who only make themselves available online to consumers from the particular state(s) from where the professional is licensed, but they are the vast minority. Never have I met a mental health practitioner who is licensed in all 50 states.

That’s not to say that no single practitioner is licensed in all 50 states, but after training literally thousands of therapists who want to learn about online practice, I can honestly tell you, I’ve never met any. Most of the time, what I see on these websites is a practitioner whose license in 1-3 states in making themselves available to anyone who’d like to call, chat or email.

Making this sort of public mistake about one’s licensure is noteworthy. Caution is in order. It literally is a crime to practice without a license in all 50 states. If any of you have different information, please let me know below.

If any of you are offering services online without having fully considered the boundaries of your licensure, you may want to simply go to your website now,  and make it clear to your readers as well as clients and patients that you can only legally serve them online if they currently reside in a state where you are licensed. If you have any doubt as to the veracity of my statements above or my suggestion herein, call your licensing board and ask them. I would be interested in hearing your feedback.

Those are my views. Might you provide additional information that could help me see it differently? Please comment below.

ETHICAL PRINCIPLES OF PSYCHOLOGISTS AND CODE OF CONDUCT (2002)

“2. Competence

2.01 Boundaries of Competence
(a) Psychologists provide services, teach, and conduct research with populations and in areas only within the boundaries of their competence, based on their education, training, supervised experience, consultation, study, or professional experience.

(b) Where scientific or professional knowledge in the discipline of psychology establishes that an understanding of factors associated with age, gender, gender identity, race, ethnicity, culture, national origin, religion, sexual orientation, disability, language, or socioeconomic status is essential for effective implementation of their services or research, psychologists have or obtain the training, experience, consultation, or supervision necessary to ensure the competence of their services, or they make appropriate referrals, except as provided in Standard 2.02, Providing Services in Emergencies.

(c) Psychologists planning to provide services, teach, or conduct research involving populations, areas, techniques, or technologies new to them undertake relevant education, training, supervised experience, consultation, or study.

(d) When psychologists are asked to provide services to individuals for whom appropriate mental health services are not available and for which psychologists have not obtained the competence necessary, psychologists with closely related prior training or experience may provide such services in order to ensure that services are not denied if they make a reasonable effort to obtain the competence required by using relevant research, training, consultation, or study.

(e) In those emerging areas in which generally recognized standards for preparatory training do not yet exist, psychologists nevertheless take reasonable steps to ensure the competence of their work and to protect clients/patients, students, supervisees, research participants, organizational clients, and others from harm.

(f) When assuming forensic roles, psychologists are or become reasonably familiar with the judicial or administrative rules governing their roles.

2.02 Providing Services in Emergencies
In emergencies, when psychologists provide services to individuals for whom other mental health services are not available and for which psychologists have not obtained the necessary training, psychologists may provide such services in order to ensure that services are not denied. The services are discontinued as soon as the emergency has ended or appropriate services are available.

2.03 Maintaining Competence
Psychologists undertake ongoing efforts to develop and maintain their competence.”