Effective June 11, 2018, all Department of Veterans Affairs (“VA”) health care providers will be able to offer the same level of care to all beneficiaries regardless of the beneficiary’s or the health care provider’s location. In its recently released final rule, the VA stated that in December 2016 Congress mandated that the agency provide veterans with a self-scheduling, online appointment system, and that the agency meet the demands for the provision of health care services to veterans, regardless of whether such care was provided in-person or using telehealth technologies. As a general rule, most telehealth practitioners are required to comply with various and state-specific licensing, registration, and certification requirements in order to render health care services via telehealth. Failure to do so can potentially jeopardize a practitioner’s professional credentials and could expose them to penalties including fines and imprisonment for the unauthorized practice of medicine or other health care services. These state-specific requirements create certain challenges for telehealth practitioners seeking to practice across state lines.

Therefore, in order to address the mandate issued by Congress, the VA developed and published the final rule to supersede these state-to-state regulations by clarifying that VA health care providers may exercise their authority to provide health care services via telehealth, notwithstanding any state laws regarding licensure, registration, or certification requirements that might be conflicting with taking these actions. Essentially, the VA is exercising its authority as a federal agency to preempt conflicting state laws relating to the practice of medicine or other health care services via telehealth. These efforts by the VA are designed to better protect its health care providers from potential enforcement actions by individual states and/or their respective professional boards, provided that these practitioners are providing telehealth services within the scope of their VA employment.

It must be noted that the final rule’s scope is narrow and only applies to health care providers who are employed by the VA. The final rule does not cover contractors, including health care providers who are participating in the Choice Program. The final rule also does not expand the scope of practice for VA health care providers beyond what is required or authorized by federal laws and regulations or the laws and regulations relating to the practice of medicine or other health care services that are dictated by the state(s) in which the health care provider is licensed to practice. Additionally, the final rule does not affect the VA’s existing requirement that all VA health care providers must adhere to all applicable laws and regulations regarding prescribing and administering of controlled substances, which not only obligates a provider to comply with such laws in the state(s) where he/she is licensed to practice, but also with the federal Controlled Substances Act.

Among the public comments submitted in response to the VA’s proposed rule, published October 2, 2017, the Federal Trade Commission, an agency that has been a big proponent of efforts to expand access to telehealth services, applauded the amendments to the VA’s regulations, stating that it will “provide an important example to non-VA health care providers, state legislatures, employers, patients, and others of telehealth’s potential benefits and may spur innovation among other health care providers and, thereby, promote competition and improve access to care.”

Telehealth providers and stakeholders should closely follow the VA’s progress as the agency works to implement the final rule. Any resulting successes, as well as any failures, may meaningfully impact the continued expansion and adoption of telehealth technologies and services among the private and commercial sectors, as well as potentially influence continued state legislative efforts in this developing area.

Is Skype HIPAA-compliant? This is probably the question I get asked the most. For the sake of this post, I am using the term Skype to include Skype and similar free web-based communication platforms relying on proprietary voice over Internet technology.

As with so many things, the answer is complicated. But the question itself is misleading. Many vendors and manufacturers market their technology and products using terms such as “HIPAA compliant.”

However, products or technology cannot themselves be “HIPAA-compliant.” Hospitals, providers, and other covered entities are the ones who are either “HIPAA-compliant” or not. In other words, it is providers and practitioners that need to be “HIPAA-compliant” not products or technology. Covered entities do need to ensure that any technology or products they use be compatible with HIPAA standards so that they, as covered entities, can comply with their HIPAA obligations.

So, the real question should be whether Skype or similar platforms are compatible with HIPAA standards. And the use of Skype raises many HIPAA issues:

  • Many platforms are proprietary
  • Cannot reliably develop and verify an audit trail
  • May not know when a breach of information occurs
  • No way to verify  transmission security
  • Lack of integrity controls

Among other things, the HIPAA rules require:

  • Access control
  • Audit controls
  • Person or entity authentication
  • Transmission security
  • Business Associate access controls
  • Risk analysis
  • Workstation security
  • Device and media controls
  • Security management process
  • Breach notification

The use of web-based platforms, especially those that are proprietary, may make it difficult for health care entities to meet some of these obligations. At the very least, I think that use of web-based platforms for patient communication carries higher risk of potentially violating HIPAA rules. And this is becoming increasingly important with all of the heightened HIPAA enforcement activity we have been seeing.

The Health Information and Trust Alliance and other organizations generally recommend against the use of Skype and similar platforms for communications involving health information. All of this does not mean a telepsychiatrist or other professional should not use Skype to communicate to patients—only that they be aware of the increased risk. There are some things I would recommend providers consider to better protect themselves from potential HIPAA liability:

  • Request audit, breach notification, and other information from companies
  • Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms
  • Develop specific procedures regarding use of Skype, similar platforms (interrupted transmissions, backups, etc.)
  • Train workforce on the use of these platforms
  • Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV)
  • Limit to certain clinical uses (i.e., only intake or follow up)
  • Use secure platforms with audit trail, breach notification, other capabilities

Ultimately, my view is that providers proceed with great caution when using Skype or similar platforms. The beauty of Skype is that it is free. Of course, it is always better to use fully encrypted and more secure technology when dealing with patients. But I realize that is not always an option given costs and logistics. So, if providers choose to use Skype, they may want to start by considering some of my recommendations.