How NOT to Run Your Online Practice

Writing for the Atlantic Online, Joseph Burgo describes his experience providing psychotherapy sessions over video as a mental health provider.

Burgo has some interesting things to say about expatriates and the psychological problems they confront. But his article suffers a major flaw: he doesn’t realize that his online practice is unethical.

That’s because he uses Skype for his patient sessions. It is well documented that Skype does not comply with HIPAA. Furthermore, Skype has always been in the hot seat for leaving a backdoor access to encrypted user data. Therefore, the private information that Burgo’s patients share with him may not be secure.

Mental-health providers should do their research before choosing a video conference solution. While Skype may be a household name, it has a poor reputation for being secure, and just doesn’t come across as a very professional video chat tool. Besides, there are more than a few alternatives. VSee’s Cloud Medical Office, for example, is 100 percent HIPAA-compliant, and we offer a complete workflow solution that allows psychologists to send prescriptions, schedule appointments, and keep their records secure.

Read more of VSee’s advantages over Skype.

TouchCare: a Hot Addition to Telemedicine

VSee is happy to welcome TouchCare to an already buzzing telemedicine market, where they join such big-hitters as MDLIVE, TelaDoc, American Well, Health Tap, and Doctor on Demand.

Here are two pieces of good news. Last month, TouchCare secured $4 million in venture capital. And at the same time, they introduced their new app in beta, which allows physicians to connect with patients through their smartphone or tablet.

TouchCare’s senior management is made up of former investment stars like Damian Gilbert. Their arrival in telemedicine is just more proof that, now that it’s becoming almost ubiquitous, smart investors see the opportunity for a gold rush.

TouchCare

And it’s not just venture capitalists getting in on the action. Insurance companies, too, see the need to provide their customers with better service through telemedicine. For nearly two years, Wellpoint has paid its member physicians to conduct video consultations with patients. And Anthem Blue Cross and Blue Shield is promoting an app for tablets and smartphones so that their members can access a doctor by video. In fact, you don’t even have to join Blue Cross / Blue Shield – you can sign up for LiveHealth Online and pay $49 for a virtual visit with a doctor. The service is already available in most states, and with Anthem having added the service to health plans in at least seven more states this year, you could be fully covered for all your video doctor consultations.

Yes, telemedicine is definitely the hot ticket right now. And this growth will only continue as people realize how telemedicine makes patients’ lives better.

RingMD: A New Telehealth App from Singapore

This very moment, several new applications and devices are entering the market. And the telehealth market is truly global. In Singapore, an app called RingMD launched this month. It promises to connect patients to doctors via smartphone. But for now, it appears limited to Southeast Asia. And it’s only available for Android devices (since it is using webRTC). RingMD has been around for a few years and has a dozen people.

ring md logo

You can read more about RingMD here. But it’s not clear from this article whether RingMD offers anything more than video chat. Most doctors need additional tools to schedule appointments and store records. But it appears that RingMD doesn’t offer any of that. Here is a review of virtual doctor evisit services for more information.

Which offers a nice segue to some exciting news. Next month VSee will launch a new product we call Cloud Medical Office. This brand-new service provides health care providers a complete practice of their own – including scheduling, file storage, and record archives – so that they never have to worry about putting together the right tools, but can run their entire office virtually and on-the-go.

Our CEO Milton Chen will debut Cloud Medical Office at the mHealth Summit in December.

Do-It-Yourself Telemedicine Solution for an Ebola Isolation Unit

CDC Ebola unit suit

Being on the front lines of Ebola containment is a frightening job. Protective measures include setting up check-in stations outside of the hospital, wearing heavy duty face shields and decontamination suits, duct-taping layers of gloves to sleeves, and using telemedicine technology. In fact, Nebraska Medical in the lonely Midwest has taken Ebola treatment and prevention to a new level with its use of HD video telemedicine and hands free medical technology. Using technology like digital stethoscopes, X-rays with wireless transfer, and real-time video allows it to keep Ebola treatment safe yet personal. It has successfully saved all two of its Ebola patients and has made Nebraska Medical a CDC model of care for fighting Ebola. It was also recently awarded a 10M telehealth grant by CMS.

VSee Lets You Do Telemedicine On the Cheap

However, you don’t need a 10M telehealth grant to set up a telemedicine isolation unit like Nebraska Medical – which uses Vidyo, a very expensive and complex system.  VSee simple, secure telehealth lets you set up interactive HD video telemedicine for your isolation unit in just about 2 hours. Unlike Vidyo and similar systems. VSee’s peer-to-peer platform does not require any complicated server setup or maintenance. Furthermore, VSee’s simple design allows you to easily integrate telemedicine devices without any additional equipment or complicated configurations. VSee even allows you to send up to 4 device images simultaneously so you can see both the patient’s face and the device images without toggling or doing special video mixing.

To start using telemedicine in your isolation unit, all you need is a few pieces of easily obtainable equipment:

Setting Up Ebola Telemedicine in Less Than 3 Hours

To set up your system, download VSee to your computers. For the isolation unit PC, configure VSee to auto answer mode: Go to the VSee address book, click Settings–>Preferences–>Automatically accept calls. VSee allows you to add only selected VSee accounts to auto accept calls to ensure security.

VSee auto call accept

To set up your PTZ HD camera: Go to the VSee address book, click Settings–>Audio and Camera Setup. Select your PTZ camera from the camera pull down menu.

VSee Camera Setup

And if you’re not ready to “do-it-yourself”, VSee offers a pre-configured isolation unit to get you started.  Please contact sales@vsee.com and join Dr. Gavin MacGregor-Skinner and other VSee users in fighting Ebola with telemedicine today.

 photo courtesy: CDC Global via Flickr

Zoom Is Not HIPAA Compliant

zoom hipaa compliant

Zoom, an online web meeting provider, has been marketing as itself as a telehealth solution. However, if you’ve done your HIPAA homework, it’s clear that Zoom isn’t ready for telemedicine. First, Zoom copied its HIPAA faq’s almost directly from VSee’s old HIPAA page. Second, it hasn’t bothered to keep up with discussions of the HIPAA rules since then. This leads to the problem that unlike VSee and Vidyo, Zoom does not sign Business Associate Agreements (BAA) required for HIPAA compliancy.

In a PDF downloaded from their website, it claims that “Zoom never has access to any information, health or otherwise, that you may observe, transmit, or receive by using Zoom, and therefore is not a business associate under HIPAA rules.” Thus, it is saying that signing a BAA is not necessary for it to be compliant with HIPAA.

It’s true that early on when the HIPAA Final Rule (or Omnibus Rule) first went into effect on January 23, 2013 (covered entities had another 6 months to actually get their papers and policies in line), there was a lot of confusion about whether video calling services — Skype, Vidyo, VSee, WebEx, Zoom, etc.– were exempt from being a Business Associate (BA) under HIPAA’s “conduit exception.” (HIPAA only mentions the post office and telecommunication carriers as specific examples of the conduit exception).  For example, according to Dr. Ofer Zur, author of The HIPAA Compliance Kit:

The Final Rule seems to state that in order to be exempt from serving as a BA, the software must only be transmitting the data (as Skype does) and must have no access to that information. The conduit rule is a rule that exempt a company from being a HIPAA Business Associate only if it:

 

1) Only transmits the encrypted PHI and
2) Never has access to the encryption key.
According to some experts the fact that Skype can give information to law enforcement (as it has been known to do) means they have access to the encryption key, which means they must serve as a BA. However, Skype neither provides a BA Agreement nor claims to be HIPAA Compliant.

The issue, however, was cleared up by HIPAA’s enforcing agency, the Office of Civil Rights (OCR) at the Department of Health and Human Services, by the end of 2013. In fact, VSee was able to make direct contact with an OCR representative to find out whether the “conduit exception” applied to VSee and other videoconference vendors.

Yip Fong, the OCR representative we talked with confirmed that a BAA would be required for its healthcare customers. She noted that even though patient health information (PHI) isn’t “stored” or “maintained”, it is “transmitted” over the Internet which is always susceptible to a breach despite strong security measures. Therefore providers must enter into a BAA with such vendors.

Would Zoom Take Responsibility for a HIPAA Privacy Breach?

In the end, the question is who is going to take responsibility in case of a personal health information (PHI) leak. Consider, even if you apply Dr. Ofer’s understanding of the HIPAA “conduit rule” Zoom still wouldn’t be exempt from being a BA. While Zoom encrypts the data they transmit, the encrypted video is in fact first transmitted to its servers which have full access to the raw video. In other words, Zoom has access to the encryption key, and this is a major architecture hole for leaking patient confidential information.

Furthermore, HIPAA is also clear that even something as simple as saying patient X had a call with doctor Y is considered PHI.  Leaking such personal health data can mean fines of up to $1.5M per patient. Conducting a telemedicine session with Zoom makes a provider that much more vulnerable to such leaks.

For example, suppose you are a therapist specializing in depression and you use Zoom to make an appointment with me.  Zoom knows that I talked with a depression therapist, and people can infer that I am depressed.  If Zoom accidentally leaks this information out – who is responsible? Clearly, Zoom should be responsible since it is the one that revealed a patient condition. Thus, Zoom should be signing BAAs if it wants to be HIPAA-compliant.

Moral of the story: if you’re looking into telemedicine video, do your homework and make sure you’re working with a HIPAA-compliant video provider who knows the rules.