This Article Is Currently In Limbo
Skype is popular, free, and easy to download and use, so it’s the obvious go-to for thousands of therapists and clients who want to work together over the Internet via videoconferencing. As has been pointed out by many others, however, there are some issues around Skype when it comes to HIPAA. Software platforms offering health care-oriented videoconferencing along with other features — for a fee — exist, but is there something that looks, feels, and costs like Skype and is designed for us health care types?
Enter VSee, a Skype-like piece of software with a number of important distinctions. It can be downloaded for free, it installs and starts working simply and easily (as easily as Skype, at least), and it performs the simple task of providing a video and audio connection for 2 or more people. VSee also offers more flexible screensharing options and tech support for a monthly fee, but they are not required.
If it works like Skype, then is it really okay for HIPAA? Why is VSee okay but Skype isn’t?
Update, January 2016:
Given the development of the software world and health care regs in the US since this article was published, we have decided that we can no longer recommend that HIPAA Covered Entities use VSee without a Business Associate Agreement. The following information is left for now so you can see what we stated about VSee previously. This information will be updated in the near future, however.
Reps from VSee have commented here that they are willing to give a reduced rate for Pro plans that include a Business Associate Agreement. The actual rate they offer is still unknown to us, but we’re finding out what we can find out. We’ll update this article when we know more. In the meantime, Anne has stated in the comments that you can inquire directly with VSee at https://vsee.com/contactsales.
Person-Centered Tech still recommends VSee as good software for online therapy work. We hope it will remain accessible to solo and small mental health practices.
As I see it, the main problem with Skype and HIPAA is about the HIPAA Business Associate rules released in January of 2013. HIPAA states that third-party groups who handle your confidential information, and don’t meet certain exceptions, qualify as “HIPAA Business Associates.” You are required to have a Business Associate contract with such a group before you hand them any protected health information. (Need more info on this? See: What is a HIPAA Business Associate Agreement?)
How come VSee slides by on the Business Associate question and Skype doesn’t? The distinction rests on pretty technical matters. In this case, the question is, “how is the call information sent over the Internet?”
It has become public knowledge that Skype allows law enforcement to monitor calls. This means that Skype must have some way to listen in on any old call that uses their software. This means, essentially, that Skype can and may handle your unsecured protected health information and so, especially under the 2013 HIPAA rules, they are a Business Associate.
The VSee software bypasses this issue through a very simple difference: calls go directly from person-to-person without any intervention by the VSee company. So even though your computers run the VSee software, it is your computer and the client’s computer doing all the handling of information. No third party is involved, so there is no HIPAA Business Associate relationship there.
What’s more, Skype calls do use AES encryption, which is good and strong. The US government has an encryption standard, however, called FIPS 140-2 (what a clear and obvious name, right?) Skype’s call encryption, while good, doesn’t meet this standard. This is not unusual since Skype’s security is about providing privacy for consumers and not about complying with government standards. VSee’s encryption meets the FIPS standard, and it is clear that the security scheme underlying it is built to accommodate the needs of health care professionals and government agencies that must meet the federal standards.
Once again, the distinctions are under the hood, but they are essential distinctions when it comes to HIPAA. Luckily for us, we don’t have to do anything to make them happen. It “Just Works.”
Are there any problems with VSee when it comes to HIPAA or other security requirements?
I see three issues to be addressed with VSee when it comes to HIPAA:
1) HIPAA requires that the software we use to handle our protected health information keep logs of accesses and usage so that we can audit those logs if we suspect that someone may have broken in or otherwise misused the information. Skype doesn’t offer this at all, and the VSee software doesn’t provide such information out of the box.
I spoke about this with Becky Wai, VSee’s Director of Medical Applications, and she informed me that should such a need arise, VSee can make arrangements for access to logs. Quite importantly, the VSee company also offers more feature-rich (and expensive) software packages to hospitals and large clinics that include access to logs, so we know they have the capability to deliver this information when needed. However, since it is not part of the core software, this goes under HIPAA-related weaknesses.
2) VSee’s CEO, MIlton Chen, informed me that the text chat feature of VSee is “store-and-forward,” meaning that text chat messages pass through the virtual hands of the VSee computers. Chen advises that health care professionals using VSee for delivery of services should avoid using the chat feature for this reason. This is separate from the video calling.
3) While the calls themselves don’t pass through the VSee computers, those computers do coordinate the connection of calls. This means VSee would know which accounts connected for a call at what times, but not the length of the calls (because VSee doesn’t know when you hang up) nor any of the contents of the calls. This is a low risk situation, but one that users of VSee should be aware of.
How well does it actually work? Does it do anything especially helpful or unhelpful?
One of VSee’s strongest features is the ability to send high-definition video with very little Internet speed. They tout this feature a lot, and I wasn’t sure if it would bear out in practice, at first. I’ve found, however, that VSee rarely drops calls or has significant lags. It’s much easier to get in to an emotionally deep therapeutic intervention when I’m confident the call isn’t going to freeze up on me. The Internet is still a fickle beast, of course, and VSee calls aren’t perfect, but it’s significantly better than anything else I’ve used.
Notably, VSee also meets most of the American Telemedicine Association’s guidelines for videoconferencing software, including providing information about the state of the Internet connection and the possibility that a call connection may be about to go bad. It also provides information about how well each person’s computer is running. If your client is having trouble running VSee, you can check to see if perhaps their computer is being overloaded by other programs that they need to close or if the Internet connection is, in fact, running slow. The ability to monitor the state of your client’s computer and the call connection is a wonderful boost for providing quality telehealth services.
VSee can also do screen sharing (although you’ll need to pay a monthly fee if you want to do it more than once per day) and the Windows version can record sessions. The lack of recording on the Mac version is a glaring hole in the feature set. They tell me it’s on the todo list, and I hope it gets addressed soon. To VSee’s credit, however, Skype does not support recording at all, although you can buy third-party programs that record Skype calls.
What about the company? Can we rely on this product for the long-term?
I’m concerned that the company does not have a Chief Security Officer (CSO) or Chief Information Security Officer (CISO.) Companies that lack this kind of executive position are usually more prone to security problems over time, as there is no executive-level person whose job is to maintain a culture of security. However, VSee’s customers include the US Congress, Navy Seals and NASA, all of whom must use software that meets federal security standards and who monitor their vendors closely. The focus on telehealth would also necessitate a continued focus on security.
So VSee is the best software for doing online therapy?
VSee is good for online therapy, and it is a great alternative for Skype since it works and costs like Skype but is much more appropriate for telehealth. It is not the only product that works well, however, and which product is “best” is a matter of opinion. For a thorough list of software platforms that can be used for telehealth, I recommend checking out the Telemental Health Comparisons website.
VSee can be downloaded from www.vsee.com.
How can I learn more about VSee and using video in telehealth practice?
The topics in this article are covered in our online CE courses: Digital Ethics, Security & Privacy in Psychotherapy Practice Management (4 CE hrs, $39) at the Zur Institute; and HIPAA Security and Privacy in Psychotherapy, Counseling and Mental Health Practices (10 CE hrs, $99), also at the Zur Institute.
Hi Roy,
Excellent article, very enlightening and helpful to a newbie. Thanks. Mike
Thanks, Mike!
Dear Roy, thanks for the great article. It is true that we don’t have a chief security officer. as a small company – we tend to not have any titles – where everyone works as a team – a flat structure :) we do spend a lot of time thinking about security – here are more info:
http://vsee.com/security
http://vsee.com/hipaa
thanks and looking forward to serving your community! :)
Milton
CEO
vsee.com
Thanks for stepping in to comment, Milton. :)
Thanks Roy!
Very helpful article. I’ve been looking at CounSol.com, but now I’ll experiment with VSee before taking the jump to the next level software.
All the best,
Brian
Hi, Question: So is VSee HIPPA compliant in California for psychotherapy sessions done online?
Forgive my ignorance if this is obvious :)
Warmly,
Debbie
I’m not aware of any requirements specific to CA for the software used in telehealth service. I also haven’t been told of any by CA colleagues. VSee is certainly compatible with our HIPAA compliance needs, however.
Hello Roy,
I am concerned about the social media aspect (the fact that VSEE lets you know who is on line and on a VSEE call), also that you can record.
Clients privacy is not totally protected if others can see when they are on line. I do not see how to turn off this feature.
Also, if a client records a session it creates a risk that someone will view that session in the near or distant future. I am aware that this would be on them, but it is creating a risk.
Do you think these concerns create ethical/legal issues for providing telehealth via VSEE?
Thank you,
Hi Raymond,
Any potential privacy concerns should be covered in informed consent. Generally, guidelines on telehealth call for a special informed consent that addresses issues specific to the therapist’s way of delivering services.
An important part of this discussion is to consider that not all risks are created equal, and the existence of a vulnerability does equate to a deal breaker or a greater than reasonable risk. We don’t learn this style of risk management in ethics classes, but it is what HIPAA asks us to use.
So if a client has more than one contact in his/her own VSee address book, then other contacts can see if s/he is in a call. That is an identified vulnerability in the address book portion of VSee. When we examine the vulnerability, we see that the third party can’t see who the client is in a call with. Nor can they see who is in the client’s address book, meaning they can’t even determine if the client has a therapist in their address book in the first place — unless the third party is looking at the client’s address book on the client’s own device where s/he runs VSee. I’m not convinced this presents a large risk at all times — it will depend on the client.
The VSee administrators can see who called who when, which is a vulnerability addressed in the article. Once again, clients should be informed of these vulnerabilities.
And yes, clients can record sessions. I believe a number of guidelines specifically address that issue as one to talk with clients about beforehand.
HTH. :)
Thank you Roy.
Looking at VSEE again, I just noticed that the account name is actually a tab, and we have the option to hide the online status.
I will be recommending the following to clients:
1 do not check the box to stay logged in.
2 check the tab to hide your status.
3 make sure to log off.
4 do not record sessions
5 do not use the chat option
of course in addition to all of our normal items in our informed consent.
Thank you,
Ray
Hello Roy,
Do you happen to know if one can be HIPAA compliant and use Vsee’s mobile app with a cellular connection (4g/3g), when using the screen share option, and/or file share option?
Thank you very much.
Ray
Hello Ray,
vsee mobile is HIPAA secure just like the Win/Mac client. to be HIPAA compliant – you may need to sign a BAA w/ vsee. The newest HIPAA requirements suggest a BAA is required. But we still see a lot of people doing w/o a BAA. But VSee itself will always give you end-to-end encryption, and our FDA certificate covers all platforms. thanks!
Milton
CEO
VSee
Thank you Milton for your quick response. Do you know if I would also have to have a BAA with the cellular company if using 4g/3g to be HIPAA compliant?
to my understanding, you do not need a BAA w/ the phone company. but the rules are still in flux, thus it may change in the future. thx!
Thanks for posting, Milton!
I assume for the BAA, Milton, you’re referring to the fact that VSee stores contact info and creates the initial handshake during a session?
Which VSee products can we get a BAA for?
I doubt it will change any time soon, however. :)
Thank you. Roy, slight deviation, but in your opinion can we counselors use cellphones for telephonic counseling and be both HIPAA and ethically compliant if we secure the mobile device? I thought I once read that counselors can only use a landline and be HIPAA compliant.
hi Roy – vsee virtual waiting room has BAA. thx! :)
Hey Roy, Do you believe that one can be HIPAA compliant and use Lync for for counseling sessions? If so, it would be a GREAT option.
Dear Ray,
signing a BAA is required to be HIPAA compliant. Initially it wasn’t clear if a BAA is required – so you have companies such as Zoom claiming HIPAA doesn’t apply to them, so they are HIPAA compliant in a weird logic. But Zoom is not HIPAA compliant – see our article explaining why http://vsee.com/blog/zoom-hipaa-compliant/
re. Lync – if Microsoft will sign a BAA with you, then you can be HIPAA compliant, but if Microsoft will not sign BAA with you – doesn’t matter what security it has, you are not HIPAA compliant. thx.
Thank you Milton.
Lync does offer a BAA, and states that if I initiate the call via my Lync to a cleint’s Skype account I can still be HIPAA compliant. This includes the applications, such as screen share and the white board.
Any thoughts or concerns about this?
Ray
Just want to let people know that signed up for VSee Pro but have continued audio issues with my clients and that VSee does not provide phone technical support. You can only email them or leave a voicemail and then they will email you a formulated response. I did get a call back but it was much later than when I left the voicemail and of course I was with another client and couldn’t take the call. They left a message to email them instead. I’m going to start looking for another company. If anyone else has had better luck with VSee’s technical support, let me know. Thanks.
Dear Erika,
so sorry for the poor support. unfortunately very few company can afford to offer live support at modest subscription levels – this is why if you were to call google, zendesk, etc, the experience sometimes is poor.
audio issues are often due to the hardware or network; unfortunately they are hard to figure out unless we listen to the quality. how about call me on vsee and I will trouble shoot for you. thanks and again so sorry for your poor vsee experience.
Milton
CEO
As of Feb 2015, VSee costs a minimum of $199 per month per user. The “free” plan doesn’t offer a business associates agreement. I’m not sure how $199 per month is even remotely justifiable for the independent mental health professional, considering that there are much cheaper alternatives that have more features appropriate to independent practitioners.
As far as your point about Chief Security Officer. In a large enterprise with millions of customers and multiple product lines, that might is certainly an important role, but just the virtue of having such an executive means nothing in terms of how secure a product is. Sony, Target and all of those companies targeted by malicious hackers — they have entire departments dedicated to security. Yet a company like Basecamp with less than 30 employees has never had a data breach of security issue, despite being used by thousands of businesses every day. Job titles do not equate with how prepared a company is for security issues, especially companies that use open source software libraries. For example, if there is a security hole in Ruby on Rails, within hours a patch is submitted, announcements made and the problem is fixed.
At my company, we don’t have a Chief Security Officer. It’s a redundant position. Every developer is a security officer. Our code goes through frequent penetration testing, automated security audits as well as manual code reviews. Our deployment system doesn’t allow security-compromised code to ever reach the server. We also don’t use proprietary software frameworks that were written by one internal team, which are prone to security failures because the closed-source nature of the software isn’t being reviewed by millions of developers. We’ve been around since 2010 and not had a single security incident and we deal with HIPAA compliant video every day. It isn’t because we’re lucky, it’s just that security isn’t a task delegated to a particular executive. Security is a company-wide responsibility. The most important thing is to not only have well audited code on updated systems, but it’s to have a security policy that mitigates risk.
As far as encryption standards, to crack AES in real-time would be mathematically impossible. Since unique tokens are generated for each session, by the time AES is cracked for a particular, the session would have been long over. We don’t use AES ourselves (we definitely don’t use Skype,) but the type of encryption is not as critical as one might think, assuming that it’s a reasonably current algorithm. Where encryption type is extremely important however is going to be in database encryption of patient data as well as passwords. Land line phone calls aren’t encrypted at all, yet telephones are considered a HIPAA compliant tool.
Anyway, interesting article. It certainly reads like an advertisement for Vsee, but it was a great run down of the tech. We certainly agree with one of your points: Skype is not HIPAA compliant and should never be used in a healthcare setting.
Hi Brian,
Many points made, sir. :)
This article needs to be read as it is intended: to guide therapists who would otherwise pick up Skype or Facetime towards a drop-in replacement that would be far more appropriate. And yes, I do mean the free version of VSee in this case. The company handles setting up the handshake and also stores contact lists, but the call itself is peer-to-peer.
AES and FIPS 140-2 is just an issue of government standards. A federal agency would have to use something that is FIPS 140-2 validated in order to be FISMA-compliant. HIPAA covered entities aren’t required to worry about FIPS 140, but using software that is FIPS 140-2 validated can qualify the entity for the safe harbor in the Final Breach Notification Rule. So it’s not about what is strong or viable so much as about what will work best as insurance against liability.
My comment about CSO’s is aimed at what you’re talking about: ensuring the company has a process and policies in place that maintain security in the product and in the culture of the company. I’ve seen too many vendors who claim to be “HIPAA compliant” who let slip terribly non-secure code into production because there is no one whose job it is to make sure that doesn’t happen. Just like Milton said about VSee, I hear you about enlisting your developers to do that job rather than designating an executive for it. Just so long as it works. :)
As for land lines: that has nothing to do with reality. That’s just HIPAA. ;)
I’m reading this article with lots of interest…thanks a lot Roy. (I’m aware I’m coming into this conversation late)…just wondering whether anyone has a recommendation for secure free IM? I planned on using VSee as opposed to Skype and then I saw Milton’s recommendation in your article:
“2) VSee’s CEO, MIlton Chen, informed me that the text chat feature of VSee is “store-and-forward,” meaning that text chat messages pass through the virtual hands of the VSee computers. Chen advises that health care professionals using VSee for delivery of services should avoid using the chat feature for this reason. This is separate from the video calling. ”
I assume this means that VSee have access to the content of any Chat conversation as the information passed through? And also that this same information might get stored at VSee for an amount of time? I imagine (or maybe I am hoping!) that VSee is the best that security gets right now for Chat? In which case it’s the best way forwards whilst making my clients aware of the risks/ limitations? Thanks a lot for your help!
Hmm, I would not regard it that way. The chat does not enjoy the same security benefits that the video call does.
You may be out of luck for free, secure IM that allows you to meet HIPAA requirements unless you and all your clients are comfortable with working with open source software and setting up your own servers…
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This applies to landlines as well as cell calls, but the interpretation has traditionally been the disclosure of information over the telephone as opposed to the use of the telephone technology itself.
With phone services, one has to make two assumptions: nothing is being recorded or stored and that the phone call metadata (i.e. the record that the call occurred and to whom and for how long) is itself not Protected Health Information (PHI). While the provision of care itself is PHI, a phone call doesn’t necessarily amount to a record of “provision of care.” HIPAA does not have any distinction in the law for cell or landline (nor should they, at least not for technology produced within the past 10 years, since all cell calls are encrypted.) The reason for the older idea about cellular being special was because in the olden times, cell calls could be intercepted using simple radio equipment — meaning calls weren’t secure. Interestingly, landlines are technically less secure than cellular since there is no encryption happening — meaning that someone at a telephone junction box outside of your office could theoretically tap into your calls and listen in, while with cellular calls, this sort of interception is impossible (governments/law enforcement working with the phone companies of course are not addressed here, but those situations aren’t HIPAA relevant anyway.)
But I digress.. In terms of BAA, I have never heard of a telephone company BAA requirement or nor have I ever seen it in practice. I would suspect that the phone company would give you a blank look if you were to ever ask for one. However, to comply with HIPAA, the following language is recommended in your informed consent:
“I consent to receive calls from (medical practice) for my protected healthcare and other services at the phone number(s) above, including my wireless number provided. I understand I may be charged for such calls by my wireless carrier and that such calls may be generated by an automated dialing system.”
That “automated dialing system” language is required per The Telephone Consumer Protection Act of 1991 rules that went into effect in October 2013. Otherwise without that line, if you use any sort of autodialing system (or text message reminder system,) you’ll be in trouble with the FCC, though you’d still be ok with HIPAA.
That language puts you in the clear in terms of using a phone and HIPAA. Take note though that while I’m well informed, I am not attorney and the above is only a suggestion and should not be considered legal advice!
Thanks a lot for your time and help Roy…really appreciated. A really interesting article that I’ll be sharing with others that I know in the Online Counselling world.
Great details here, Brian. Thanks for posting.
I actually have a question. I teach outside of the US and that is when I most use skype sessions to reach clients (as needed). This includes mainland China. How does Vsee work abroad?
I’m curious about that too – if we’re traveling then how well does Vsee work “across the pond” back to our clients in the US? Do countries like China block that type of traffic or would we have to use it over a VPN?
Steve @ Envision Counseling Clinic
Hi I just returned from teaching in China, and use VSee for skype contact with a client. It worked OK…not great (the client also has poor wifi connection so I am not sure if it was China or their wifi setup)… We ended up using skype too..since VSee was inconsistent..also I DID use a VPN, which actually worked amazingly.. my first time teaching in China it was hard to have consistent email anything..but this time the VPN was slow at times..but always worked… I even got to access Google Docs IN CHINA..not sure how or why
awesome – thanks so much Barbara!
I am interested in a HIPAA-compliant teletherapy platform, and there seem to be a lot of new providers out there. I’m wondering what VSee has to offer as compared to competitors. Any feedback is helpful. Thanks!
Hi Ray,
VSee has a web-based Waiting Room product which addresses your privacy concerns. When clients connect to a provider via the Waiting Room, the address book is suppressed so the client does not have a contact list and cannot use VSee recording. In addition, the webchat history is not saved. Here is a quick video of how the waiting room works: vsee.com/blog/video/waiting-room-demo
Please mention that you found us on this forum, we’d be happy to give you a special discount on the waiting room.
Hi Alison,
VSee text chats are always encrypted. Text chat history is stored locally on your computer so VSee does not have access to your text chats, and you would be responsible for securing your devices with chat history. The only time VSee stores chat messages is in the case that a text chat is sent to someone who is offline, then we do temporarily store that message on secured servers until it is sent. Thanks!
Anne
VSee support staff
Hi Barbara,
You were able to have access to Google docs because you were going through a VPN :) We have employees who work from China, and they also go through a VPN. But as you mentioned call quality is dependent on the network. I’m in China now, using an ~1Mbps connection. I find that I can have very good VSee calls (even using HD) if it’s before 4 p.m. on weekdays or before 11 a.m. on the weekends, otherwise the connection is terrible (I’m guessing because too many people are using their home network). It’s actually any US website for me, not just VSee.
Also, if you have Skype running in the background when using VSee, your VSee call quality will be lower because Skype takes up bandwidth even if you are not in an actual call. Thanks!
Anne @VSee
Hi Albert,
1. VSee offers group video chat at half the bandwidth of competitors such as WeCounsel, American Well (which use Vidyo).
2. It is available across all major platforms – PC, Mac, iPhone, iPad, Android.
3. We take security very seriously, using 256-bit AES encryption and doing 3rd party security audits.
4. We have experience working with many health systems and organizations (MDLIVE-Breakthrough, HealthPartners…) to create simple telemedicine workflows on top of video such as the VSee Waiting Room and Cloud Clinic with scheduling and ePay. See vsee.com/blog/video/cloud-clinic-overview
5. You might find this list of telemedicine platforms we’ve put together helpful: vsee.com/blog/telemedicine-platform-reviews
Please mention that you found us on this forum, and we’d be happy to match pricing or give a significant discount on any of our products. Thanks!
Anne @ VSee
Btw, we offer special discounts on HIPAA-Compliant VSee subscriptions if you mention this article to our sales team: http://vsee.com/contactsales :)
Anne
VSee Marketing
I am currently testing VSee among other platforms (thera-link and wecounsel) for my telehealth services. They now offer a more basic option that comes with a BAA for $45 month (http://vsee.com/blog/change-subscription). This option does not include the waiting room or scheduling though, unlike the other two services I am testing.
One issue I am having with the application is the contacts list. I do not like having a list of contacts including my client’s contact information. I do not even keep a client contact list in my email. I know there are numerous approaches to safeguarding this information, but it just rubs me the wrong way.
Has anyone used VSee are part of their regular practice? I am wondering what processes others have used to integrate the use of this application.
*Correction, the Pro account is advertised at $49/month. The customer service rep did offer a competitive lower rate.
Thanks for the update, Krysttel!
I am confused about the BAA and if that makes it hipaa compliant or not. According to the VSEE website, https://vsee.com/pricing, it says the paid subscriptions have BAA for hipaa compliance, which has me thinking that the free version is NOT hipaa compliant. You article seems to assert that the free one is compliant and i am trying to make sense of it in previous comments, but I just do not totally understand what BAA is and if it is necessary to be HIPAA compliant. Any input would be much appreciated. thanks.
Hi Kristine,
There are a few things to say in response to your question:
1) You should probably read this article about how products cannot be compliant with HIPAA. It’s important b/c we can drive ourselves batty trying to understand how a product is compliant or not when compliance is something for us to do, and not for the product to do: https://tameyourpractice.com/blog/your-software-and-devices-are-not-hipaa-compliant
2) A BAA is necessary for our HIPAA compliance, in the majority of cases, when we wish to use a service that qualifies as our HIPAA Business Associate. Here is our article about that: https://personcenteredtech.com/2012/08/29/what-is-a-hipaa-business-associate-agreement/
3) VSee has very little contact with PHI, which is why this article waffles about the need for a BAA. I do need to update it, however, as the environment around the Business Associate rule has evolved to be very tight. In other words, even that little contact VSee makes should be addressed if you intend to make serious use of VSee in your practice. This is one of the reasons, I’m sure, why the VSee folks are now offering a BAA with the $49 version of the software.
A requirement of HIPAA-compliance is that providers need to have a BAA with any businesses or services they use that “handle” their clients’ PHI.
That being said, some services such as the US Post Office, your phone carrier, ISP are excepted from this rule as “mere conduits” of PHI. In an earlier interpretation of the law, many people thought that a service such VSee where PHI is not stored or resting anywhere but only transported from point-to-point could be excepted as a business associate via this conduit exception.
However, we actually spoke with an OCR rep who told us that under the HITECH law, any service that transports PHI over the Internet still counts as a Business Associate, so that is why we no longer say that the free VSee service is “HIPAA-compliant” but offer BAAs starting with the annual Pro subscription of VSee.
That being said, we do understand that $49/month Pro subscription for the BAA is quite steep for counseling and behavioral health. So we actually offer a much lower behavioral health pricing. Just mention that you are a behavioral health provider or that you learned about VSee through Person-Centered Tech blog when you contact us ( vsee.com/contactsales ).
Thanks!
Anne @ VSee
You should check out doxy.me (https://doxy.me), it’s a new free telemedicine alternative that many therapists are now using. Unlimited minutes, unlimited sessions, and the BAA is available at no cost. There is a paid version that you can white label.
Looks interesting. I’m checking it out. Where is the best place to send questions regarding technical details of the software?
Is it supported on mobile devices (iPhone, iPad, Android)?