Page 1 of 1
A sharp rise in the availability of telehealth benefits has opened up new opportunities for mental and behavioral health counseling, as well as challenges for health care providers, employers and employees.
“The COVID-19 pandemic has created an unprecedented mental health crisis” with increased cases of depression, substance abuse and suicide, said Dennis Urbaniak, executive vice president of digital therapeutics at global pharmaceutical company Orexo. “The ability to receive care regardless of a person’s geographical location or proximity is obviously appealing, particularly when it comes to mental health care, which unfortunately continues to be surrounded by stigma, especially in the workplace,” he pointed out.
Employees in small cities that might not have enough local demand for a certain type of group can still get the support and resources they need by connecting with others, who could be located literally around the globe, Urbaniak noted. So it’s no surprise that virtual mental health care options have been on the rise.
At Voya Financial, chief HR officer Kevin Silva said that while telehealth options for acute physical care were already available to employees pre-pandemic, these options have been expanded to include primary care and mental health care. “Telehealth visits spiked for Voya in 2020 and have yet to return to pre-pandemic levels,” Silva shared. “Many employees prefer the convenience of telehealth [for physical and behavioral health visits] and it’s beneficial to employers because appointments are quicker with less impact to productivity.”
Virtual care is also being further automated through artificial intelligence, so that sometimes the “doctor” an employee may be interacting with isn’t a doctor at all. Wysa, an AI- and human-driven digital mental health app, provides counseling and support delivered by both credentialed mental health counselors and an AI chatbot available to employees and other users 24/7. The AI chatbot uses AI-CBT (cognitive behavioral therapy) to help people through their challenges and adapts to their unique situations based on their responses.
Many employees continue to feel isolated and anxious as remote and hybrid work continue. The opportunity to get together virtually to share concerns or participate in group treatment options can help.
Zoom, the popular app for holding online business meetings, is now being used by some mental health services providers as a virtual venue for behavioral group therapy or disease management support. For example, BrightView, an addiction services treatment provider in Cincinnati, facilitates virtual group therapy via Zoom to “help provide a safe environment [for patients] to heal emotionally, connect to others who understand your background, express your ideas, reflect on your experiences, and engage in support,” according to the organization’s website.
Psychotherapist Sean Grover described how during the pandemic he began using Zoom for therapy groups he had formerly held in his New York City office. “I didn’t have high hopes,” he wrote. “I decided not to charge for the first Zoom sessions because I was confident that online therapy groups would be a snoozefest. … I was wrong. From the first session, I could see that group members [were] starved for contact. They were thrilled to see each other.”
Zoom groups provide more flexibility for busy patients, Grover noted. Due to schedule conflicts, illness, child care and other priorities, group members often “would have to miss the session or even drop out of group. Now they call in from home, the office or other locations.”
As the pandemic wanes, Grover continues to offer Zoom sessions for individual and group therapy, as do other therapists, although some have raised concerns over hacking risks (see the discussion of privacy issues, below).
The early evidence suggests that virtual care for mental and behavioral health issues is effective. Virtual care provider Teladoc’s 2021 Mental Health Survey of 2,253 U.S. adults found that:
Despite the promise of this technology to serve a wide range of needs while improving access and even reducing costs, there are some caveats to be aware of. For instance, the Teladoc survey showed that:
Using Zoom for group therapy does pose the potential for privacy risks.
It’s better to hold such group meetings in a specific telemedicine tool, since health tech vendors typically take extra steps to ensure end-to-end security of their customers’ health data in such apps versus Zoom.
Concerns over data privacy were also raised by Dr. Mark Kestner, chief innovation officer with MediGuru, a telehealth services provider.
“The data generated by the virtual visit must be compliant with privacy standards and integrated into the clinical plan to measure the quality and outcome of care,” he said. “While the thought of ‘care anywhere’ is intriguing, there are limitations on the clinical force, such as state licensure and credentialing for the service.”
The COVID-19 pandemic has caused many employers now operating remotely to conduct meetings via video conference – which has created a whole new set of various privacy and cybersecurity concerns. While these remote work tools have facilitated a more personal connection and interactive experience, their use is fraught with privacy concerns you may never have before considered. If your organization is weighing its options or unaware of the risks these services may create, this article provides a 10-point plan to protect your personal and confidential information and ensure you remain compliant with various federal and state privacy laws.
The Risks of Video Conferencing
Before diving into the blueprint for compliance, it is first helpful to understand the three main risks of video conferencing.
“Zoom-Bombing”
Since the start of the COVID-19 public health emergency, the FBI has noted a substantial increase in the number of businesses and schools reporting instances of video conference “hijackings” (also known as “Zoom-bombings”). During these hijackings — which generally occur where a video conference link is shared over social media or is not password-protected — uninvited participants have disrupted meetings by interjecting inappropriate language or displaying hateful or pornographic images into business meetings.
Aside from unwanted disruptions, uninvited interlopers pose a more serious threat. Those that choose to remain undetected could lead to the unauthorized disclosure of personal or confidential information.
Insufficient Or Non-Existent Encryption
Many video conferencing companies tout their services’ encryption capabilities. However, these claims should be closely scrutinized. By way of example, the video conferencing platform Zoom has indicated that hosts may “enable an end-to-end (E2E) encrypted meeting.” This was reportedly proven to be untrue. The company was supposedly able to access user data and video conferences in transit and it was reported that it could be compelled to provide access or information to the government if such a request was made.
Additionally, the storage of recorded video conferences creates other issues. Thousands of Zoom conference recordings were recently found on an unsecured online storage platform. Prior to Zoom restricting access to their storage location, anyone with an internet connection could access the private and confidential meetings of countless users. Likewise, if your business does not store its recorded conferences in a secure manner, there is a substantial possibility that an unauthorized individual may gain access to their contents.
Inadequate Privacy
Video conferencing raises privacy issues on two fronts. First, according to a recent California class action lawsuit, video conferencing providers may be improperly using their subscriber’s data. Specifically, as alleged in the suit, California’s privacy law and other state statutes may have been violated if users’ personal information was shared with Facebook without the users’ consent.
End-users may also create privacy issues. Among other things, confidential information may be mistakenly divulged if an employee shares their screen while such information is visible. If an end-user participates in a video conference in a public space, everything that is said and displayed during the conference is disclosed to those around them. Moreover, if an end-user records or takes screenshots of images displayed during the meeting, those items may be improperly disseminated.
Legal Consequences Of A Video Conferencing Breach
If you or your video conference provider has inadequate privacy and cybersecurity policies or procedures, your business may inadvertently run afoul of various federal and state laws. Among other laws, the unauthorized disclosure of your employees’ personal and confidential information may violate:
10-Point Plan To Prevent Video Conferencing Disasters
To avoid potential video conferencing related privacy or cybersecurity breaches when using Zoom or similar platforms, your business should consider employing the following practices:
Conclusion
In the wake of the COVID-19 pandemic, many employers are relying on video conferencing platforms to conduct meetings and providing remote educational instruction. While Zoom and other video conferencing platforms can provide a valuable interactive experience while social distancing, it is important to educate employees on potential privacy and cybersecurity risks. You must require them to adhere to best practices to ensure the security of remote meetings, protect the privacy of participants, and reduce the risk of intervention by unwanted participants.
Under the 2013 Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules provisions, employers must update their health information disclosure policies and retrain employees to ensure compliance.
The Department of Health and Human Services (HHS) issued the new HIPAA regulations on January 25, 2013, to execute major changes that were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) as well as the Genetic Information Nondiscrimination Act (GINA).
New Requirements for Business Associates
HIPAA regulations previously generally covered any business associate who performed or assisted in any activity involving the use or disclosure of individually identifiable health information, such as third-party administrators, pharmacy benefit managers and benefit consultants. Under the new regulations, business associate status is triggered when a vendor “creates, receives, maintains, or transmits” personal health information (PHI).
The key addition in this part of the regulation is found in the word ‘maintains’ because any entity that ‘maintains’ PHI on behalf of a covered entity- even if no access to that information is required or expected- will now be considered a business associate.
This change has some important consequences for group health plans that rely on cloud storage as a repository for their PHI or that outsource information-technology support and other functions and do not have business associate agreements (BAAs) with such vendors.
If you give PHI to a vendor before a BAA is in place, you will be in violation of HIPAA, and if you are a vendor, you can’t receive PHI without a compliant BAA in place. There must be a compliant BAA in place first.
Another change is that plan sponsors must enter into a sub-BAA with agents or subcontractors who are retained to help a business associate with covered functions for an employer-sponsored health plan. Plan sponsors should include BAA language that states that a business associate can’t subcontract work without prior permission, and then to monitor compliance with those agreements.
Presumption of PHI Breach Introduced
Under the previous rules, an impermissible use or disclosure of PHI- including electronic PHI- was a breach only if it posed a significant risk of harm to the individual. The HHS included in the new rules a presumption that any impermissible use or disclosure of PHI is a breach, subject to breach-notification rules.
Under the new rules, the only way now to get out of this presumption is by a demonstration that there is a low probability that the PHI was compromised.
To demonstrate low probability, the health plan or business associate must perform a risk assessment of four factors- at a minimum:
The HHS has indicated that it expects these risk assessments to be thorough and completed in good faith and to reach reasonable conclusions. If the risk assessment does not find a low probability that PHI has been compromised, then breach notification is required.
Action Advised for 2013
While the new regulations bring certainty to employer-sponsored health plans and their business associates on HIPAA compliance issues, they also emphasize the department’s intention to subject business associates and their subcontractors to heightened scrutiny.
Employers should review and revise their BAAs to ensure compliance with the security rule, paying special attention to the inclusion of subcontractors. Employers should also review and revise (or create) breach-notification procedures that detail how a risk assessment will be conducted. It is also important to train employees who have access to PHI on these updated policies and procedures.
The final regulations take effect September 23, 2013 and the HHS has provided another one-year transition period for some covered entities and their business associates that had a BAA in place on January 1, 2013. HHS also published an updated version of a template BAA, but it does not address all the unique situations that may arise between a covered entity and a business associate. Employers should ultimately ensure that their business associate agreements are appropriately tailored to their individual circumstances and business needs.