Can You Afford a HIPAA Violation?

In June of 2012, the Alaska Department of Health and Social Services agreed to pay $1.7 million to the United States Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule arising out of the loss of a portable USB thumb drive containing electronic protected health information (ePHI).

In September of 2012, Massachusetts Eye and Ear Infirmary agreed to pay HHS $1.5 million to settle potential violations of the Security Rule arising out of the theft of a laptop computer which contained a large amount of patient information.

In each case, the HHS Office of Civil Rights charged that the providers had failed to take necessary steps to comply with certain requirements of the Security Rule, including:
-conducting a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) maintained on portable devices;
-implementing security measures sufficient to ensure the confidentiality of ePHI that they created, maintained, and transmitted using portable devices; and
-adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.

Both of these cases involved the theft of devices which contained massive amounts of unencrypted patient data. There was no evidence that any patients sustained any actual damages as a consequence of the theft of any of this information, but damages are not an essential element of the violation, and as one can see, the settlements were substantial.

And lest anyone think that the HHS watchdogs only go after the big players, in January of 2013, Hospice of Northern Idaho agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule in another laptop theft case. This is the first settlement involving a breach of unsecured ePHI affecting fewer than 500 patients. It is unlikely to be the last.

The American Telemedicine Association, which advocates for wider use of telemedical technology, has projected enormous growth in the field over the next few years, and the number of companies with links on its principal website is long and varied. Most of these companies fall under the HIPAA definition of “business associates.”

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate (emphasis added). The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. To learn more about business associate agreements, and see a template for what HHS believes such an agreement ought to contain, visit http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html?gclid=CO3k4sTB17YCFe4DOgodT0QAkw.

It seems to me that any prudent practitioner thinking about using telemed conferencing ought to be asking her or himself at this point, “What are the risks to me and my practice of using a free VOIP technology like Microsoft’s Skype®, especially if, in the future, Microsoft decides to change the company’s Terms of Service to allow them to target advertising to users based upon the content of their communications?”

It seems clear that, to be HIPAA-compliant, a videoconferencing service must be willing and able to sign a business associate agreement. Skype and other free services do not offer this. SecureVideo.com does. We also offer live technical support, which free services can’t provide. And free services simply can’t offer the superior video quality and features needed for a professional office–we can.

To learn more about SecureVideo.com, visit our website at http://www.securevideo.com/.

Stephen C. Taylor
General Counsel
SecureVideo.com

Informed Consent & Telemental Health

As with mental health services delivered face-to-face, clinicians working through videoconferencing must obtain Informed Consent.  The consent must be obtained at the start of services and in real-time.  Local, regional and national laws for consent must be followed and clinicians must fully understand requirements.  If written consent is required, then electronic signatures may be used, assuming there are no restrictions in the relevant jurisdiction.

The consent form used for videoconferencing must include all the information that would be included if the session were face-to-face, such as the nature of the service, record keeping, potential risks, confidentiality, mandatory reporting, and billing.  In addition, the consent must contain information about videoconferencing.  The American Telemedicine Association recommends that this include limits of confidentiality with electronic communication, emergency plan, record keeping, potential for technical failure, coordination of care with other professionals, protocols for contact between sessions, and conditions for which a referral may be made for in-person treatment.  The consent must also be presented in a language easily understood by the patient.

SecureVideo cannot provide legal advice and strongly encourages providers to consult with their professional association, legal counsel, and the American Telemedicine Association for more information.

A Brief History of Telehealth

Telehealth has been the story of a “revolution” that never quite materializes.  That has changed, with experts are projecting the market to grow at 20% annually over the next several years.  “Telehealth” is a term used broadly to encompass interactive videoconferencing, electronic exchange of information, remote monitoring of vital signs, patient portals, and more.  “Telemedicine” is a closely related term that refers the actual delivery of remote clinical services.  These services are increasingly available using standard internet-connections, computers, tablets, and smart phones.

Early Days

The roots of telehealth go back to 1906 when Dr. Willem Einthoven, inventor of the EKG, devised a way to transmit this data over telephone lines.  Understanding the potential of communication technology to transform medicine, a 1920s Popular Science magazine foretold of “radio doctors.”  But, the first incarnation of modern telehealth can be traced to 1955 when a remote clinic in Nebraska established a closed circuit TV connection with a hospital 100 miles away.  By the year 2000 videoconferencing between medical facilities was fairly common in rural areas, but far from ubiquitous.  Adoption of telehealth has been slowed by:

  • Restrictions in Medicare, Medicaid and private insurance reimbursement;
  • Requirement to purchase a dedicated, hardware based videoconferencing system;
  • Reliance on grants to launch and sustain programs.

Recent Developments in Videoconferencing

Internet-based videoconferencing has improved greatly over the past few years and is now possible on most computers.  A web camera and noise cancelling speaker/microphone (or headset) are the only additional requirement, and these are built-in to many newer machines.  The latest generation of tablets produces satisfactory quality, even over 4G networks.  All these factors have changed the landscape for videoconferencing and reduced the financial barrier to entry.

Reimbursement & Policy Issues

Reimbursement policies are also changing in support of videoconferencing, further accelerating adoption.  Some examples of these changes:

  • 16 states require private insurance reimburse services delivered via telehealth and more are expected to follow soon (as of March 2013);
  • The Affordable Care Act mental health parity have created opportunities for telehealth;
  • In 2012 legislation was introduced that allows providers affiliated with the Department of Veterans Affairs to deliver telehealth services across state lines, eliminating a requirement that the providers be licensed in the same state as their patients.

The Future of Videoconferencing in Health Care

While some providers will work with patients extensively using videoconferencing, most will only use it on an as-needed basis.  Still, medical professionals across all specializations will be expected to have this capability.  This includes primary care, psychiatry, psychology, care managers, translators, care managers, dermatology, and emergency.  It will be used to conduct follow-up sessions, minimize no-shows, determine if an in-person visit is necessary, provide services while patients are traveling, etc.   Medical professionals will also use this technology to better collaborate with other professionals.

The three keys to this are 1) the availability of inexpensive devices that produce high quality videoconferences, 2) ubiquitous internet availability, and 3) virtual meeting rooms that are easy to access, HIPAA compliant and inexpensive.  The good news is that the time is now.  So get ready, because the telehealth revolution will be videoconferenced.  At SecureVideo we’d like to help make this dream a reality.

So You Think Skype is HIPAA-Compliant?

By Stephen C. Taylor, General Counsel

SecureVideo.com

HIPAA – or as it is formally known, the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 – substantially codified the way health information for virtually all Americans must be handled. Sections 261-264 of the law require the Secretary of Health and Human Services (HHS) to promulgate standards for, among other things, the electronic exchange, privacy and security of health information by those subject to its provisions (what the law and regulations call “covered entities”).

Virtually every health care provider in America who electronically transmits health information is a covered entity.

Nothing in the law proscribes videoconferencing, which – as my colleagues elsewhere on this site have described – can, in many instances, be a vastly more efficient method of conferring with a patient in a remote location, or with another provider in a distant location. But such teleconferencing, which has acquired the popular sobriquet of telehealth, is nevertheless subject to the requirements of HIPAA.

Some health care practitioners have considered using the popular VOIP (voice-over internet protocol) videoconferencing software known as Skype ®, which has grown swiftly in the last five years or so. One of the reasons for this spectacular growth could very well have been that its developers in Luxembourg had taken steps to make the service one of the most locked-down and encrypted services available for such communication.

But, as reported by Eric Jackson in Forbes last July, when Microsoft (MS) acquired Skype in May of 2011 for $8.5 billion, observers wondered how MS could justify paying so much for a service that most users pay nothing to use and lets them communicate for free with other users. MS responded by saying that they simply wanted to own the world leader in VOIP.

Well and good. But in June of 2011, MS was granted a patent for “legal intercept” technology designed to be used with VOIP services (like Skype) which would allow “silent copying of communication transmitted via the communication system.”

Perhaps this is pure coincidence. But the point is that, if Microsoft has changed the architecture of Skype – which they have neither confirmed nor denied, but which anecdotal evidence suggests has occurred – the use of Skype to transmit medical and health information could expose the practitioner who unwittingly does so to significant civil and criminal liability under HIPAA.

Civil penalties begin at $100 per individual instance of violation, and are capped at $25,000 per calendar year for multiple violations of the same type. Criminal penalties are tiered, depending upon the willfulness of the violation and the use to which the information is put, but the lowest tier carries a fine of $50,000 and imprisonment of up to one year.

SecureVideo.com offers a securely-encrypted environment for telehealth videoconferencing which is completely HIPAA-compliant. You can investigate further at http://www.securevideo.com.  But don’t take my word for it.   Practitioners are urged to consult your own attorney. But for heavens sake, do it before you decide to use Skype for telemedical conferencing.  You could be taking a big risk.

How to make a High Quality Videoconference

By Jonathan (JT) Taylor, Chief Technology Officer

SecureVideo.com

masks1

From a human perspective, a good videoconference is similar to a good movie.  In a good movie, there is a “suspension of disbelief”, whereby the viewer–initially well aware of being seated in a movie theater and thus disbelieving of the reality of images appearing on the screen–eventually suspends that disbelief to the point where the characters, actions, and conversations on the screen appear real.

Likewise, in a good videoconference, the participant is initially aware of communicating with the other party through a screen, camera, microphone, and speaker, but eventually this “disbelief” of in-person contact is suspended, such that after a few minutes both participants really feel like they’re meeing face-to-face.

The time-tested rules to achieve “suspension of disbelief” in videoconferencing are as simple to enumerate as they are complex to technically implement:

Rule #1) the video must be of a high enough resolution that each speaker’s eyes, hands, facial gestures, and body language can be clearly understood by each listener.

Rule #2) the audio must be clear enough so as to approximate the sounds the listener would hear if the speaker was in the same room.

Rule #3) the video and audio must flow smoothly and naturally, with no hiccups, stops, or gaps.

Rule #4) there must be no delays between the video and audio portions–when the speaker’s mouth moves, the speaker’s words must be heard at the exact same moment.

Sounds easy enough, right?  It is perhaps, until one considers the various “videoconferencing trolls” which lurk in the shadows of the internet to often confound even the most expert videoconferencers.  To get a high quality videoconference, each of these trolls must be avoided.

Troll2

The Inferior Audio-Video Equipment Troll. As I mentioned earlier, in order to videoconference, each party must have a web camera and microphone–to send the video and audio–and a screen and speakers–to receive the video and audio.  (Many users prefer to use a headset, which combines the speaker and microphone functions, and also overcomes the pesky “Echo” troll.)

A web camera that has low resolution, supports only a low frame rate, or handles light contrast poorly, will break rule #1.  As will a low resolution, or very small screen image on the viewer’s end.  On the audio side, a microphone or headset that do not pick up the speaker’s words with the proper sensitivity and digital sampling, will break rule #2.  A low quality speaker on the listener’s end will have the same effect.

These AV Equipment trolls are theoretically simple enough for each participant to fix–it just requires spending some money (usually $50 is enough for a webcam, and $30 for a headset which contains both speakers and microphone).  However, more videoconferences than I can count have failed to achieve “suspension of disbelief” due to inferior equipment.

Troll3

The Slow Computer Troll. Let’s say you’re in a videoconference, and everyone has cleverly avoided The Inferior Audio-Video Equipment Troll by having good equipment.  Your web camera and microphone are picking up your images and words really well, and sending them to your computer.  Now all your computer has to do is to encode those images and words into a digital stream of 0’s and 1’s and send them over the internet, and it has to do so at least as quickly as the 0’s and 1’s are arriving from your A/V devices.

But, alas!  It turns out that this encoding takes a lot of computer processing power (much more so than decoding, as it happens), and if your computer does not possess sufficient processing power, then your 0’s and 1’s will not be able to be sent to your videoconferencing partners at the same rate they’re arriving from your A/V equipment, and thus your videoconference will be defeated by The Slow Computer Troll, manifesting through the violation of rules #3 and #4 above.

To avoid The Slow Computer Troll, you simply need to have a good enough Computer or device.  SecureVideo.com offers a computer speed test, so you can see whether The Slow Computer Troll is inhabiting your computer or not.  The latest Apple iPad (the iPad 3) runs a very lovely videoconference, so that could be a good way to avoid this particular troll.  If you want to stay with your computer to run the Troll out of town, you could consider a CPU (processor) upgrade.

Networking Trolls. If your A/V equipment and computer are high enough quality, unfortunately there is an entire phylum of Videoconferencing Trolls which threaten your blissful videoconference: The Networking Trolls.
Troll4

(Hint: you can conduct a network speed test you can use to check whether your network speed will avoid the Networking Trolls.)

Networking Trolls generally take one of three sub-forms:

The Firewall Troll. The Firewall Troll holds sway when there is a firewall between your computer and the Internet, as often happens when you’re on a corporate network.  In this case, The Firewall Troll (and his cousin, The Network Address Translation Troll) can often prevent videoconferencing connection altogether.  The solutions to this Troll are varied and generally complex.  At SecureVideo.com, we use a combination of Video Proxies, which restrict the videoconference to ports which are commonly unaffected by firewalls, and protocols such as STUN and ICE which are specifically designed to overcome address translation issues.  I have seen several other solutions to this problem in the field, most being variants of this approach.

The Low Bandwidth Troll. The Low Bandwidth Troll appears in the slower corners of the internet where bandwidth is less than 1 megabit per second: generally these are 3G and slower 4G mobile connections, many DSL connections, and corporate T1 networks with many users.  While the normal solution for this problem is to obtain a faster Internet connection, this is generally the most difficult to achieve, often involving high cost and lengthy lead times.  At SecureVideo.com, our platform uses a technology called “Adaptive Layering” to greatly mitigate this problem.

Adaptive Layering means that the 0s and 1s are not sent in a single stream which is then transmitted to all participants (which is how almost all other platforms operate.)  Instead, the 0s and 1s are arranged into a number of layers.  Participants who can receive the highest resolution streams receive all the layers and get a perfect experience.  Participants who cannot, receive only those layers which comprise the lower resolution stream.  In this way, the media streams are optimized for each participant.

The Intermittent Troll.  The Intermittent Troll is the King of all the Videoconferencing Trolls.  It is the most common, and the most obstinate.  The Intermittent Troll operates like this: let’s say all other Trolls have been mitigated, and the videoconference is going very well, and every participant truly has suspended their disbelief and now feels exactly as if they’re meeting in person.  Then, for one of the participants, their internet connection hiccups, either due to a routing glitch, network congestion, or a temporarily overloaded internet router somewhere between here and there.  For the vast majority of videoconferencing platforms, The Intermittent Troll will cause choppiness, gaps, freezes, and out-of-sync between video and audio.  Sometimes this condition even forces the participant to disconnect.

Dealing with The Intermittent Troll separates the top videoconferencing platforms from the also-rans.  The SecureVideo.com platform uses Scalable Video Coding (SVC) to solve the problem.  With SVC, when an intermittent network hiccup is encountered, the video (and occasionally the audio) resolution will be subtly and immediately adjusted, such that there is no interruption in the streams, and no syncing issue.  The only perceptible effect to the participants are that the background may get a little fuzzier, or in the extreme case, the entire video stream gets less sharp and perhaps even the audio loses a little clarity.  However, once the intermittent condition resolves, the software automatically and quickly adjusts back to the maximum resolution.  From a suspension of disbelief standpoint, it is similar to a part in the movie where one thinks momentarily about other roles one of the actors has played, but quickly reabsorbs back into the plot line.  In my many years in videoconferencing, the SVC technology is the only effective way I have ever seen to deal with that King of videoconferencing trolls, The Intermittent Troll.

Troll5

The Echo Troll. The last major Videoconferencing Troll is The Echo Troll.  The Echo Troll manifestation is where a speaker hears himself speak, on a slight delay, as he speaks, which has a most disconcerting effect.  It is generally caused by a listener’s microphone and speakers placed too closely together, whereby 1) the talker speaks; 2) the sound comes out the speaker of the listener; 3) the same sound enters the microphone of the listener; 4) that sound is sent back to the talker’s speaker; and, finally, 5) the talker is quickly driven insane.

Headphones are a great way to deal with the Echo Troll, as is an echo cancelling speakerphone, such as the Phoenix Duet series.  If you don’t have headphones or an echo cancelling speakerphone, then to defeat the Echo Troll it is necessary to move the microphone and speakers as far apart as possible.

If this is not possible, as with a laptop which may have built in microphone and speakers, then you’d better hope the video-conferencing platform supports echo cancellation.  Which many don’t, but of course, SecureVideo.com does.

So What?

My #3 hope is that this blog entry will have educated you significantly about how videoconferences work, the possibility to achieve “suspension of disbelief” on a high quality videoconference, the requirements to actually achieve a high quality videoconference, and why it can often be so difficult to achieve high quality due to the many Videoconferencing Trolls which can so easily harry and peck at your meetings.

My #2 hope is that you have an excellent remainder of your day, after having read this blog entry.  If this happens, I wouldn’t presume to take credit for it, but then you never really know, right?

Troll6

My #1 hope is that after reading this, you’ll realize that no videoconferencing platform on this planet is as effective in shutting down the Videoconferencing Trolls, and thereby creating real “suspension of disbelief”, as SecureVideo.com, and you will see the light and sign up this very moment for a 30 day free trial so that you can see the quality difference for yourself.

Even after as few as 2 or 3 videoconferences, I believe that you’ll start to see what I’m talking about: that a high quality videoconference will make you feel like you really are in the same room as the other person, and after exchanging the subtle nonverbal cues, facial expressions, body language, and eye contact, you will be truly amazed at the power of our technology.