“Video has become a viable mechanism for enhancing employee interactions—and as video conferencing becomes more readily available, businesses are using it to communicate more effectively throughout their organizations and with partners and customers.”
Most physicians and their staff have used video conferencing features. IHS Markit publishes research annually in the technology space, and they’re telling us that 86% of all businesses are planning on using video conferencing this year as part of a unified communications strategy. They tell us that it improves employee productivity and provides them with increased flexibility to get the job done.
But that figure should not take into account medical practices, which fall under completely different rules restricting their use of video conferencing.
HIPAA, of course, stands for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), generally established patient privacy in a clinical setting.
The HIPAA Privacy Rule is the law that governs the privacy of patient data. The HIPAA Security Rule was an extender to Privacy Rule for transmission of patient data on any electronic device, including a tablet, smartphone, or personal computer.
These HIPAA legislative regulations protect patient health information (PHI) and PHI transmitted on an electronic medium (ePHI). PHI includes a patient identifier and healthcare data. The identifiers covered under the law include:
- Name of patient.
- Date of birth.
- Social Security number.
- Phone number.
Healthcare data is defined as:
- Any health conditions or diagnoses.
- Payments to a healthcare entity.
- Treatments that the patient received
The goal of these regulations is to offer a set of national standards for the privacy of the consumer. These rules apply to any covered entity, including providers, clearinghouses, health plans, and business associates.
The problem lies in the interpretation of the law, and whether video conferencing platforms like Skype or FaceTime violate protected health information as part of their standard service agreement. We reviewed the data and discovered that most standard video conferencing services designed for business or personal video conferencing do not meet all HIPAA rules.
Why Standard Video Conferencing Platforms are Not HIPAA Compliant
We’ve found that many providers think communicating electronic protected health information (ePHI) via Skype, FaceTime, Google Hangouts, or another standard commercial video conferencing platform is perfectly HIPAA-compliant. In fact, they are not. Let’s review the law under the HIPAA in relation to two of the biggest video conferencing platforms, Skype and FaceTime, and see what it’s missing.
Skype and FaceTime are video conferencing application for consumers and businesses to conduct meetings. There are similar applications on the market, including GoToMeeting and Google Hangouts. Unfortunately, none of these services appear to be HIPAA compliant for ePHI, although there is room for interpretation.
1. Commercial video conferencing services are typically not hosted on a HIPAA-compliant server.
There are several issues tied to HIPAA compliance that raise red flags for Skype and FaceTime as a telemedicine platform:
- Skype currently meets part of the government’s encryption requirements, but not all, according to the Veteran’s Press.
- In the same token, ZDNet calls FaceTime’s HIPAA compliance “debatable” for HIPAA compliance. The HIPAA Journal suggests healthcare providers use vendors that provide telemedicine services specifically instead of trying to fit a commercial video conferencing into the “round hole” of HIPAA compliance.
- Healthcare Management Systems suggests that HIPAA guidelines require the ePHI stored distantly to have a system to monitor and remotely delete the data. This falls into the area of administrative controls for back up and auditing at the server level. According to Comtech, Skype does not keep an audit trail, which is a HIPAA requirement. Comtech concludes, “Without these features, Skype simply isn’t HIPAA compliant.”
- Finally, Microsoft, which is the current owner of the Skype platform, lists the following in their data privacy policies:
In order to provide you with Skype products you have requested, Skype may sometimes, if necessary, share your personal and traffic data with Skype’s group companies, carriers, partner service providers and/or agents, for example the PSTN-VoIP gateway provider, wi-fi access services providers, distributors of Skype software and/or Skype products, and/or the third party banking organizations or other providers of payment, email delivery, analytical services, customer support, or hosting services.
2. Neither Skype nor FaceTime offer a BAA.
HIPAA requires that covered entities (physicians, hospitals, clinical practice) and their “business associates” (video conferencing vendor) have business associate agreements (BAAs). A BAA dictates how the vendor will handle the ePHI including security, backups, and policies to mitigate a data breach. With that said, some of the newer contracts under Skype for Business may allow a BAA.
3. Skype and FaceTime don’t allow for patient consent prior to the appointment.
HIPAA requires that providers receive a signed informed consent from the patient in order to proceed with the telemedicine visit. This is not something that is worked intuitively into Skype or FaceTime, or any of the other consumer or business applications, although, in theory, it can be.
Interestingly, there is a clarification from the U.S. Department of Health and Human Services (HHS) on a loophole called the “Conduit Rule.” The rule was designed for cloud-service providers (CSPs) that provide a pass-through service, such as instant messaging, with no storage of provider data. It’s one of the common arguments that suggest Skype or FaceTime are HIPAA compliant. In fact, Skype, FaceTime, or other video conferencing services do not fall under this loophole.
When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data.
“Orthopedic surgeons in particular will find that pressures to cut costs and maintain excellence in healthcare, even while reimbursements continue to decline and patient volume increases, are constant.”
Becker’s Spine Review
The statistics have shown us that telemedicine has a number of clear-cut benefits in the orthopedic practice, including:
- Increased compensation via improved patient volumes. Replacing an inpatient visit for a routine check with a shorter and less overhead-dependent telemedicine visit is one way to improve the bottom line of a practice.
- Increased convenience for the patient because the last thing many of them want to do is to have the hassle of an in-person visit for a five-minute exam. Patients with orthopedic injuries face the discomfort of getting to and from transportation, a trip to your office with the hassles of parking and traffic, and the time spent cooling their heels in your waiting room. When you “breeze in” for a quick consultation, we’ve seen patients grow frustrated. Is offering the alternative of a virtual visit something they might appreciate?
- Better quality of care because the patient will be less likely to skip a virtual visit. The telemedicine visit may even eliminate their use of the ER for an infection or other issues. Since the majority of ER visits are not urgent, this is one way to lessen cost in the American healthcare system.
While these are all clear benefits of the application, some providers are still reluctant to embrace change. Why would these skeptics finally adapt to this new way of providing care?
Why have these providers gratefully accepted what some would consider a “disruptive” technology? The answer is the same, whether it’s a more effective medication recently approved by the FDA, a revised orthopedic practice designed to decrease inpatient stays, or virtual visits; these are necessary practice improvements at a time when every visit should add “value.” Becker’s Spine Review notes that one of the biggest trends hitting orthopedic practices in the coming years will be declining reimbursement. Telemedicine applications allow orthopedists to streamline services in a way that benefits both the quality of patient care and the overhead of their practice.
When viewed in this light, adoption of a cloud-based subscription telemedicine application designed especially for the orthopedic practice not only makes sense – it’s a market-driven necessity.
Now that you can visualize the use of telemedicine in your practice, isn’t it time to see an OrthoLive demo in action? Contact us today.