HIPAA Compliant Video Conferencing

Part
01
of one
Part
01

HIPAA Compliant Video Conferencing

GoToMeeting, Zoom for Healthcare, Vsee, Doxy.me, SimplePractice, Mittel, and RingCentral are all providers in the telehealth market. An analysis of their product offerings are detailed below. The information is based on the product material available for each company. Unfortunately, there is very little detailed information available, as it seems to be the companies' overwhelming preference to give limited information and force an engagement with the consumer. The second part of the report addresses ethical issues around telehealth in the group therapy setting. Despite an extensive search, almost no feedback regarding the concept was publicly available on social media, Reddit, or mental health forums.

HIPAA COMPLIANT PLATFORMS

GoToMeeting

  • GoToMeeting is the communication platform developed by LogMeIn, who claims to "connect healthcare providers with the patients who need them, no matter where they are. With secure, simple tools, doctors, hospitals and healthcare workers can get critical work done remotely."
  • Although GoToMeeting is a HIPPA compliant platform, it is a communication platform. This means it does not integrate with medical software products that provide electronic health records, referrals to other providers, access to laboratory or radiology results, or insurance related services. Nor does it integrate with medical devices.
  • GoToMeeting integrates with Slack, Microsoft 365, Outlook, CirqLive, Decebo. Google Chrome, G-Suite, Microsoft Teams, Procore, Saleforce, Zscaler, Active Demand, Calendly, Theta, ZohoCRM, Acuity, and ZIpchat.
  • GoToMeeting has a video conferencing feature, allowing 25 high definition video feeds and up to 250 people to join any one session. This is using GoToMeeting Plus. The number of video feeds and attendees are plan-dependent.
  • Informed consent is not addressed in any of GoToMeetings protocols. The medical professional would need to discuss this independently with their patient. Similarly, insurance and billing would need to be addressed outside of the platform.
  • The exact security and encryption protocols adopted by GoToMeeting are not disclosed. The company has said "GoToMeeting uses robust encryption mechanisms and protocols designed to ensure the confidentiality, integrity, and authenticity for data that is transmitted between the LogMeIn infrastructure and users and for cloud recordings, transcriptions, and meeting notes stored within LogMeIn systems on behalf of its users."

GoToMeeting User Feedback

  • Unfortunately, Logmein does not distinguish the different verticals on its social media accounts. This means it is difficult to ascertain the product that various comments related too. In any event, there was very little comment on social media that discussed the merits of the product on offer.
  • The following comments have been made by users regarding the GoToMeeting platform:
    • One user was concerned about the lack of a password saying "Does anybody know why GoToMeeting does not activate mandatory meeting passwords? As default there is "no" password needed when creating/planning a meeting. Why are they making the same mistake as many other video-meeting-companies in the past?" It is unclear if this related to the health offering.
    • When concerns were raised about tracking, this user had this comment, "I think it's only user-tracking/logging, as it's an entry in one of my standard pi-hole blocking lists. GoToMeeting is working without any issues while blocking this entry. Even the meeting-reports sound/video/network will be shown. So it looks like it is only user-tracking."
    • Despite an extensive search of social media and Reddit forums, no comments or feedback from users relating directly to GoToMeetings telehealth performance could be located.

Zoom for Healthcare

  • Zoom for Healthcare is a communications platform keeping healthcare professionals connected and compliant. It uses 256-bit AES encryption. Communications are established using 256-bit TLS encryption. Screen watermarks, pass codes. email domain names, meeting locks, and personal meeting identification protocols have also been developed to improve security.
  • Unlike some of its competitors, Zoom for Healthcare has the capability to integrate with medical devices and electronic health records. The online information states Zoom for Healthcare "allows medical professionals to, "examine and treat patients virtually with far-end camera control, electronic health records, and medical device integrations, and intraoperatively in telehealth carts."
  • Epic is the electronic patient records system preferred by most medical professionals, with 45% of the US populations' records stored within the Epic system and more than 250 healthcare organizations subscribing to the technology. Unfortunately, no further information is available, with consumers directed to contact the company directly for details. Epic can be fully integrated with Zoom for Healthcare.
  • Screensharing is available within meetings. This means that laboratory and radiology results and imaging, and other pertinent information can be viewed by those in attendance.
  • Informed consent is not addressed in any of Zoom for Healthcare protocols. The medical professional would need to discuss this independently with their patient. Similarly, insurance and billing would need to be addressed outside of the platform.
  • There is provision within Zoom for Healthcare for behavioral and mental health programs with virtual counseling on a one-to-one basis or through group sessions.
  • Zoom for Health can facilitate 1,000 participants and 49 videos on screen with its video conferencing options.

Zoom for Healthcare Feedback

  • While Zoom has social media accounts, there is no specific account relating to the health offering. No comments relating to the health offering could be located on the general Zoom account.
  • There were no Reddit forums or user comments relating to Zoom for Health.
  • The only user comments located were on the Zoom for Healthcare website:
    • "Other applications don't allow for multiple members to join in a HIPAA-compliant setting, but Zoom does. Doctor, patient, and family members can be in the conversation."
    • "Ten thousand people a day are turning 65, and that will be the case for the next 16 years, That’s too many people to house in senior care buildings and staffing enough caregivers for residents is not possible....Zoom provide a virtual presence, gestures and the ability to look around. This increases the value of the CARE Network kiosk because care managers can literally see more, effectively collecting more care giving and status information"

Vsee

  • Vsee is a dedicated telehealth platform meaning the platform has been designed specifically for the medical profession rather than adapted to accommodate telehealth. Vsee allows patients to schedule their follow-up appointments, automatically generates confirmation and reminder information, enables the immediate review of patient notes, and generates e-prescriptions.
  • Vsee can be integrated with medical devices such as health-trackers, AI symptom checkers, electronic prescriptions, and ECG monitoring devices. Although Vsee does not explicitly state there is the capability to make referrals within the software, the company's ability to build a customized system suggests that these capabilities could be incorporated on an individual basis.
  • The backend of Vsee allows medical professionals to set payment amounts and generate patient invoices. Customized options include intake forms, trialing, electronic health records, SOAP, payments, and Medline Plus and GoodsPx. Insurance is not explicitly discussed, but would likely require customization if it is to be incorporated.
  • The product offered by Vsee adheres to all security and encryption protocols required under HIPPA. Absolute confidentiality within the video conferencing environment is ensured as all traffic is encrypted with FIPS 140-2 compliant 256-bit advanced encryption standard. A managed peer-to-peer architecture protocol has been used as the foundation of the Vsee platform. This means that video is streamed endpoint to endpoint.
  • Vsee can be customized to enable it to appear as a feature in the apps of any healthcare provider.
  • The customization of Vsee to meet the individual needs of each healthcare provider suggests that video conferencing options including the maximum number of attendees are customized to individual needs. No data is included in the product information detailing any current maximums.

Vsee User Feedback

  • Vsee´s Facebook account had the following feedback:
    • "I have been a believer in the VSee system, but they fall very short of the mark with performance reliability. The customer service is virtually non-existent and is a major shortfall for future success. I hope they can get their act together. " He then posted an update, "Update: my response from calling customer service, where I had to leave a message and ask for a callback, came about 4 hours later when a service person called me at 9:30 pm! Utterly ridiculous and useless. They seemed surprised calling late in the evening, and away from my office computers, would be unacceptable. This company's management needs to take a long look at their customer service experience and operational metrics. I have no problem using other systems like Doximity or Doxy."
    • "I have used this service for over a year now and its reliability is spotty at best. When it works, it is great. But ....and I have very high speed internet on my end. I just had to cancel clients because of lack of reliability."
    • "Because they turned off free subscribers without telling them or giving notice. very unprofessional given its client in need. also no communication from customer services. they just cut people off without warning. A high risk strategy so they dont get bad publicity. Imagine if zoom did that. Mamood Ahmad well zoom are going to be making far more profit than Vsee now and I will gladly give them my business from now on. VSee isn’t a good enough platform to warrant a paid subscription."

Doxy.me

  • Doxy.me describes itself as "the simple, free, and secure telemedicine solution." There was relatively little information available relating to Doxy.me´s offering.
  • The free product delivered by Doxy.me lacks the features of some of the other companies providing telehealth solutions. However, by upgrading users can obtain access to additional features, including HD video, SD video, and audio calling.
  • Features that are not available with Doxy.me include medical device integration, electronic health record integration, insurance paperwork, referals, and access to laboratory and radiology results.
  • Although not explicitly addressed, Doxy.me does not appear to have video conferencing capabilities. Only one-to-one telehealth sessions are mentioned in product literature.
  • Informed consent is not addressed in any of the literature provided by Doxy.me.
  • The encryption and security protocols adopted by Doxy.me are not disclosed beyond the following statement. "We take privacy and security very seriously. We implement state-of-the-art security and encryption protocols to assure that data integrity and privacy is maintained. As a result, Doxy.me complies with HIPAA, GDPR, PHIPA/PIPEDA, & HITECH requirements."

Doxy.me Feedback

  • Patients said the following about Doxy.me:
    • "After a recent accident, going into the clinic was difficult. Being able to use Doxy.me to meet with my doctor was so convenient."
    • "I love the ease and simplicity of Doxy.me. I have really enjoyed having the option to meet with my provider from my home. It saves me a lot of time not having to travel to her office."
    • "I meet with my therapist on my lunch breaks while at work. Online visits have allowed greater flexibility with scheduling visits! I tell everyone to switch to online appointments!"
    • "I can’t believe how easy it was to meet with my provider. I’m not very technically savvy and Doxy.me was extremely easy to use. It’s amazing to meet with my provider at home."

SimplePractice Telehealth

  • SimplePractice Telehealth describes the security of its platform as being compliant with "HIPAA, HITRUST, NIST-CSF, PCI, ISO 27001/2, and CCPA frameworks. It includes security and privacy controls across 19 different domains, including but not limited to access control, data encryption and privacy, vulnerability management, vendor management, network protection, endpoint protection, risk management, and disaster recovery. The company goes on to describe its security as "bank level." Its platform servers are "housed in a facility protected by proximity readers, bio metric scanners, and security guards 24/7."
  • Informed consent is not addressed in any of the literature provided by SimplePractice.
  • SimplePractice is the only company providing a comprehensive approach to insurance coverage and payment. Claims can be created, submitted, tracked, and reconciled within the SimplePractice platform. Integrated payment reports for both primary and secondary claim filing are available when required. The features of the insurance aspect of the platform allow providers to add insurance modifiers to appointment and client profiles.
  • From a patient perspective, SimplePractice is a paperless system, enabling them to book, attend, and pay for their healthcare needs online. Patients are able to upload documents for their healthcare provider.
  • SimplePractice is more than just a communication platform enabling telehealth interactions. It is a complete practice management package, incorporating electronic health records. Billing is simple, and the system allows patient payments with Autopay and online credit card processing. It is unclear if medical devices are able to be integrated into the telehealth environment, as they are not mentioned on the SimplePractice website.
  • Screensharing means that vital information can be shared between the medical professional and patient during the virtual appointment including radiology and laboratory investigations.
  • SimplePractice boasts 96% practitioner satisfaction.

SimplePractice Feedback

  • The following comments are from TrustPilot:
    • "SimplePractice reduces a significant amount of admin. time for me as a sole provider without admin. staff. Providing telehealth sessions has been an easy adjustment. There are numerous videos to assist with learning this new system as well. A colleague recommended SimplePractice and I have been very pleased and relieved."
    • "I recommend this platform for all mental health professionals. I have found it extremely user-friendly regarding scheduling appointments, client access to their portal to fill out intake questionnaires and for completion of paperwork prior to session. Additionally, it has been user-friendly regarding billing and sending invoices. I have been very happy with Simple Practice and recommend it to others with no reservations."
    • "I’ve attempted numerous times to reach out via email and asked for a phone call multiple times. I was told they would determine if a phone call is necessary. Horrible customer service. I’m sorry I chose simple practice and will recommend to others that if they want to be able to reach a live person that they look elsewhere. I may be changing my emr very soon."
    • "The site is not user friendly. Customer service is email only. It typically takes more than 24 hours to get a response. The response doesn't necessarily take care of the question. They will "offer" you a strict 30 minute phone call but suggest you come prepared with all your questions--Customer Service not geared towards service. Clients complained of multiple hiccups on website. Not easy to take payments. Would not recommend."
    • "I like the format and I like the ability to dictate notes through the app on my phone. My biggest concern was when I have difficulties with billing I was never able to get ahold of someone on a telephone to explain what I needed. I did get ahold of someone through the chat but it seemed almost like it was computerized or they weren't understanding what I was needing and at the time someone did understand it was three weeks later and tgebaccount had been shut down and all of my notes had been deleted. They NEED TO BE AVAILABLE BY PHONE"

RingCentral for Healthcare 

  • RingCentral for Healthcare  is part of a range of different communication software packages aimed at several industries. Given the product has been adapted for various industries, it lacks some of the features present in products developed specifically for that purpose.
  • Essentially RingCentral offers a communication platform to facilitate telehealth appointments. It does not have the ability to allow the annotation of electronic health records or the integration of medical devices into this setting. There is no invoicing, insurance, or payment capacity within the product.
  • Informed consent is not addressed in any of the literature provided by RingCentral.
  • RingCentral complies with all security requirements by "instituting robust security measures at every level of our architecture and processes. These include the physical, network, host, data, application, and business processes, as well as the enterprise level of your organization." When transmitting, RingCentral "provides Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP) encryption between all endpoints."

RingCentral Feedback

  • Feedback relating to RingCentral was not overly positive:
    • "Stay away from this company- Pathetic! I wish I could say anything positive about Ring Central- but from start to cancellation it was an absolute gong show. Signed up (sales person was actually very responsive), then my onboarding was with a man who had absolutely no interest in actual training on the platform. Rude and unprofessional. I received an apology and second kick at the can went no better. Then during porting of phone, was told that it was rejected as account # didn't match provider info even though an actual copy of the bill was uploaded! Went to my account rep and suprise, she went radio silent... So cancelled and specifically asked if porting would be cancelled as well, was told yes as it was rejected anyway- Guess what? Not only was it not cancelled- it took 4 business days for our provider to get it back as Ring Central had done an non authorized port! Run as fast as you can from these clowns!"
    • "Not worth it, not even close. Interface - not intuitive. Customer service - terrible. Last encounter, person hung up. And she had my call back number. Price - used to be competitive, now outrageous."
    • "Worst service EVER experienced. Failed to provide a dedicated fax line and was to credit us. Credit never received and upon yearly renewal insisted we pay for a line they failed to provide. To top it off, our c/c was declined (as a new card was issued when it was compromised) and instead of calling us, emailing us or providing any communication whatsoever, they simply turned off our business line, rendering our company dead in the water. Not only that we were locked out of online access to remedy and all calls into service were not returned. The fact they would simply turn off phones, especially when owed a credit, shows the maliciousness of their policies and lack of service. They allege they are working with me by trying to force me to pay for services they have never rendered with the promise of a credit, which they were supposed to provide last year and failed to do so, so why would I EVER pay again for something not delivered. Consumer law is on my side and they continue to ignore their responsibility, all the while my phones have been off!!"

Mitel

  • Mitel offers a complete cloud business communications service known as MiCloud Connect. It appears to be phone rather than video based. Although plugins can be used to third party apps such as Microsoft Teams or Skype to enable video calling.
  • Mittel states its product is "a customizable and secure unified communications solution that supports presence-based awareness, instant video communication and visual voicemail, as well as voice, email, text and chat conversations on any device - seamless communications made private."
  • This is the only information available in relation to Mittel´s health offering. It does not appear to have any features of the aforementioned products, and it does not appear that it is a telehealth platform. No user comments were located on the Mittel platform that were relevant to the provision of healthcare.

GROUP PSYCHOTHERAPY FOR HEALTH

Group Psychotherapy by Telehealth (CPT Code 90853)

  • CPT 90853 was implemented in March 2020 to enable patients' ongoing treatment during lock down due to the pandemic. It was added to the temporary emergency provision of services rules changes for Medicare. CPT Code 90853 is a group psychotherapy code aimed at physicians who are treating "individuals in group homes or who want to foster group interaction for those individuals under "stay at home" orders."
  • CBT 90853 extends medicare coverage to these sessions.
  • The emergency provisions, including CBT 90853, will remain in force until 23 October 2020, according to an announcement on 27 July 2020, extending them to that date.

Informed Consent

  • As part of the informed consent process and pursuant to the APA guidelines, it is important the group leader "describe at the outset the roles and responsibilities of all parties and the limits of confidentiality" when telehealth options are being considered in a mental health setting.
  • One of the difficulties in conducting group sessions in the mental health context via telehealth is that while the physician is required ethically to maintain all members' confidentiality, in most states, the group members are not subject to the same legal or ethical obligations. This presents as an issue in any group psychotherapy setting, but in the telehealth context, there is greater potential for abuse, including:
    • Attendance by a member at a non-secure location where a non-member is privy to the content being discussed and the participants in the group;
    • The recording or screenshotting of group members; and
    • The use of recorded material to identify members (and the possibility of extortion).
  • Given the serious consequences of these disclosures and the heightened risk when the group therapy is being undertaken by telehealth , the APA suggests that members be given the option of not showing their face, wearing a disguise, using a fictious name, temporarily leaving the group, or finding another treatment modality.
  • The group leader should make sure group members read and sign an informed consent prior to the first session. It is essential the group leader ensures members understand the risks, benefits and limits to confidentiality associated with undertaking the sessions via telehealth.

Restrictions on Attendees

  • In order to attend a telehealth group therapy session, attendees must have access to a secure (non-public) internet connection.
  • The recording of any session or member is strictly prohibited. If the group leader or facilitator is going to record the session for supervision purposes, the written consent of all members is required.
  • Attendance is voluntary, but once committed to the therapy, members must attend all group sessions.
  • Members must connect from a secure, quiet, and private location, where there is no risk of ongoing interruptions while the session is taking place. No other person should be privy to the discussions or be able to view the feed.
  • Members must agree not to disclose the identity of other members.
  • Members must be online at the required time to minimize the disruption of late arrivals to the session.
  • Group leaders are able to remove members who breach these protocols from the group.

Platform Logistics

  • Any group therapy undertaken by telehealth must take place on a HIPPA compliant platform to ensure that the required security and encryption protocols are adhered too.
  • HIPPA compliant platforms include Wecounsel.com, iTherapy.com, and virtualtherapyconnect.com.
  • A platform must have access control so only those authorized can gain access, undertake auditing and tracking to monitor activity, and incorporate network and transmission security.
  • The legal logistics require practitioners undertaking this type of therapy to ensure they are conducting the sessions from a private location, have advised their malpractice insurance provider of the change to their practice, and have completed the required consent processes prior to initiating the first session.
  • This downloadable book discusses HIPPA compliance in more detail.

Session Recording

  • Generally, members, including the group leader, are prohibited from recording the sessions without all members' express written permission.
  • Should the group leader elect to record the sessions, having gained the members' consent, they have obligations placed on them in terms of the purpose of the recording and how it is to be stored.
  • Those with recorded sessions must ensure the data is safe and not accessible to anyone else. Recommendations include the use of encryption and secure cloud storage.

Data Sharing and Confidentiality

  • The rules around confidentiality and data sharing are the same as required in a physical setting.
  • Data should remain confidential and not be shared beyond the treatment team in most instances. Group leaders may use recordings in the context of clinical supervision.

Access to Patient Data

  • No one beyond the treatment team, patient, and patient representatives should have access to patient data Some information can be disclosed for medicare and insurance purposes..
  • Patients are allowed to view any information held about them. However, there are restrictions in a mental health situation when the state of mind of the patient is such that if it would pose a serious risk to their ongoing well being. Patients in those circumstances can be prevented from seeing their information until they are mental stable.

User Feedback

  • The following are comments from patients who have undertaken telehealth group therapy during the pandemic:
    • "I was averse to the idea of telemed appointments until this experience. I am finding this to be convenient and helpful. It has also helped me get past anxiety issues of interacting this way"
    • "I’m really happy that the program is functioning well to continue with the care of our children. Also, very relieved how the staff is handling and helping the kids remotely."
    • "There’s the ritual of coming in every week, sitting in that room on the same spot on the same couch in the same office. It feels incredibly comforting and safe. I think the environment part of it is very important for people"
Sources
Sources