Providing Ethical Telepsychology: What are the rules, and is what the news is saying really true?

The following is a cross-post from the blog of FLEX's founder Michael Decaire. The post is the opinion of the author based on his experience in the regulatory, clinical, and telehealth sector. It is not a legal opinion, though it is based on a thorough review of relevant legislation and ethical standards. It is written to inform clinicians on how they can ethically provide care through video, but may have information regarding regulations and privacy that could set some mental health consumers of at ease.
 
FLEX Psychology has provided clinical services over telehealth systems for well over a decade. This has included support for remote communities and hospitals, transitional support for in-person clients, or simply the provision of accessible care where and when it is needed. I personally have had the opportunity to be  an educator and trainer in this area for many years, assisting therapists and organizations to implement an ethical and efficacious telehealth solution into their clinics. Over the last decade I have had the opportunity to try out virtually every video solution available. Some are good. Some are bad. None are perfect. Fortunately, nearly every solution (including every free solution) appears to meet the legal and professional requirements of use in Ontario. In other words,  you would have to put forth a concerted effort to break any rules.
 
Today I want to tackle some of the ethical and legal questions I have been hearing when conversing with peers and clients. For obvious reasons, we have seen a clear push towards the implementation of telehealth solutions. The need to rapidly transition to this medium has forced a lot of professionals who were dragging their feet to suddenly shift their practices online. That has brought with it a lot of anxiety, which several video solution providers have appeared to decide to capitalize on. This has further fostered a range of sensationalistic news articles that are difficult to decipher for the layman and, at their worst, are deliberately misleading.
 
What Laws and Standards Police Telehealth in Ontario?
 
There is no specific law targeting telehealth solutions in Ontario, but since these tools are used for the real time implementation of healthcare, they do fall under the purview of the Personal Health Information Protection Act (PHIPA). There are a number of similar information acts that have an application to non-health information that may apply on the periphery (e.g. FIPPA; MFIPPA; PIPEDA), but these acts are substantially similar to PHIPA, and PHIPA tends to supersede those acts given the nature of the information we manage within the profession.
 
So, what does PHIPA have to say about telehealth?
 
Absolutely nothing. 
 
You are welcome to say that again along to War by The Temptations.
 
Canadian laws tend to be designed in a manner that is technology (and thus time) agnostic. To be more specific, PHIPA has no reference to encryption, technology, means of service, or location of service.
 
That leads to the question of how a piece of software can be listed as "PHIPA compliant" if there are essentially no actual prescribed routes to compliance. Realistically, it appears that "PHIPA compliant" is nothing but a nonsense marketing technique. Vendors are likely borrowing the marketing term from "HIPPA compliant", which relates only to practitioners in the United States. HIPPA compliance is an actual thing, but relates primarily to a liability agreement that is signed between a vendor and the health practitioner end user. Those agreements are required by law in the US, but are not accessible to Canadian providers. In many cases, upgrading to "compliant" software provides you no additional protections at all. Zoom Cloud Meetings, for instance, provides identical encryption techniques across both their free and professional accounts. While the pro and healthcare versions do provide some additional features (e.g. unrestricted group meetings), the level of encryption is the same across all versions of the platform.
 
Given the lack of any actual prescribed compliance standards, I like to remind those I speak to that my cat is PHIPA compliant.
 
So are there any rules in PHIPA I need to be mindful of?
 
PHIPA provides a framework for how health professionals are permitted to engage with the personal and confidential information of our clients. The rules that apply to a brick and mortar clinic are essentially identical to a virtual one. If you were following the rules at your normal office, you likely remain complaint with PHIPA online.
 
There is a key wording in PHIPA that health practitioners need to be aware of: Reasonable.
 
This is a term that comes up routinely throughout PHIPA and the Information and Privacy Commissioner of Ontario's (IPC) rulings, fact sheets, and advice on the application of PHIPA.
 
Within PHIPA itself:
 
“A health information custodian shall take steps that are reasonable in the circumstances to ensure that [PHI] in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure…”
 
Within IPC's Fact Sheets on Protection:
 
A Health Information Custodian "must take steps that are reasonable in the circumstances to [protect] personal health information in their custody or control”
 
Within IPC's Fact Sheets on Encryption:
 
“‘strong encryption’ does not refer to a particular technical or design specification, or even to a specific encryption feature that could be inserted into a … specification.”
 
“Encryption must be commensurate with, and responsive to, known threats and risks”
 
The IPC goes on to note that "reasonable" is situationally dependant. A large governmental funded organization may be expected to have a highly encrypted system that is locked down through high end security software, where a small private practice is, at the very least, expected to use passwords and flip the switch for basic encryption already built into their computers. It is readily apparent that the IPC is not expecting small clinics to be security experts, but that reasonable protections should be put in place.
 
The reality is that every video software solution is encrypted, though the nature of that encryption may vary to some degree. No one seems to be questioning the ethical use of the telephone in care. Video software is providing only a visual addition to what can be acquired by phone. In essence, a clinician would have to seemingly put in a concerted effort to break the rules here.
 
What do regulatory colleges have to say?
 
Again not much in terms of technology use. The College of Psychologists of Ontario (CPO) introduced a variety of telehealth guidelines in 2017. These focused primarily on the requirement to maintain the same standard of care over telehealth solutions that you would in person. Otherwise, most of the focus here was insuring you are practicing within your scope, in jurisdictions that you are permitted, and in a manner that is covered by liability insurance. The College of Registered Psychotherapists of Ontario (CRPO) has a fairly similar set of rules.
 
The only real area of note with both colleges is the expectation that clinicians are competent in care over this medium and that back-up solutions are in place for any technology failure (e.g. switch to the phone if you cannot get your video to connect and a client is in crisis). As is typical with most of these rules, competency is not defined. If we want to keep it simple though, I would suggest that clinicians be able to recognize how technology may preclude certain types of treatment/service and that they either modify their approach to avoid any compromises or do not offer such services over that medium. That being said, during times such as these, it may be important to remember that "best practice" and "competent practice" are not always equivalent. This medium may not be one's preferred manner of providing clinical support, but that does not mean that it precludes us from providing competent and necessary care during a time of high need.
 
What is all this news I keep hearing about Zoom Cloud Meetings being the boogeyman?
 
There is a lot of sensationalistic news going around right now regarding Zoom Cloud Meetings, which happens to be my personal telehealth solution of choice. Zoom appears to be the focus of these reports due to the surge in usage it has received during the COVID pandemic, which has resulted in a lot more attention to the platform, but has also made it a juicy target for technology reporters during a particularly notable slow time for that industry.
 
The problem is that the majority of these reports are utter nonsense, extremely overblown, silly semantic arguments, or, at times, clearly being fostered by other video platform providers who see this as an opportunity for a financial windfall. I thought I would tackle some of the most common silly worries I have been seeing. I would also like to remind people that the Zoom platform is actually what many other platforms people have earmarked as "safe" is built upon, which means these solutions are really no different than Zoom's offerings. I would also like to note that Zoom is now the platform of choice for Ontario's criminal courts during the COVID shutdown. You can be fairly confident that this group did its due diligence.
 
Is Zoom is selling my information to Facebook? No. Many software companies allow you to login using your Facebook or Google credentials. In a sense, this is actually a security feature, as the confirmation of your identity is handled by this third party and you do not have to worry about having another login and password out there that could be hacked and released. In order to allow this login format, Zoom has to communicate with Facebooks servers to allow them to confirm you are who you say you are. This process does not pass on additional information and your attendees do not actually need a Zoom account in the first place (they simply click and attend as guests).
 
Another cause of the "Facebook" is stealing your information fear is that Zoom used a Facebook "analytics plugin". Analytic plugins are used to acquire technical information about a user (e.g. what computer platform you are using; what web browser you are using). They are needed to provide smooth and personalized services and are imbedded everywhere, including this website. Facebook and Google are amongst the biggest analytics companies in the world, so I would have been surprised if Zoom did not have this relationship with Facebook. The important detail for readers to know is that this information is not of the personal and confidential type, and certainly does not pose a health information risk.
 
I heard the free and pro version of Zoom is not PHIPA compliant? PHIPA compliance is not a thing. At best, it is a misunderstanding of how PHIPA works. At worst, it is a manipulative marketing technique.
 
I was told Zoom is not end to end encrypted. Admittedly, Zoom did use the term end to end encrypted in a non-traditional manner, though they were semantically correct. In theory, end to end encryption is generally accepted to mean that all communication goes through a secure and direct communication between two end points. Think of it as a tunnel between two places that no one can see into or get into other than the two people who initiated the travel between those two places. This sounds like a good idea, but this sort of security is unnecessary, not practical, and would actually be compromising to care and safety. A end-to-end tunnel such as this would prevent group meetings (e.g. that third person would not be able to get into the tunnel), break virus scanners (e.g. computers in the cloud would not be able scan files to see if someone is trying to send you a virus), and cause a number of logistic issues.
 
In essence, Zoom acts as a relay of fully encrypted sessions. The signal is encrypted by your computer, goes to the relay station, is received by the end user, and only they can decrypt it. So, in a manner, it is fair to say that this transmission is encrypted end to end. If we required end to end AND direct communication without relay, we would not be able to use the phone to talk to patients, send documents by courier, use a fax machine, implement digital outcome and progress monitoring measures, or any electronic records software. In essence, Zoom's security is the equivalent of taking information, locking it in a safe, sending that safe by armed courier to the intended recipient, and then have them lock their response in that safe and send it back through the same means. That is more secure than most ways we currently communicate.
 
Is Zoom spying on my clients? This was a real sensational one. Zoom used to have a software feature for large group meetings and webinars that alerted the presenter if the audience was no longer attending to the screen. They have turned this off due to privacy complaints, but this is far from "spying". In case you were wondering, I can tell when you are not paying attention to me in person as well.
 
But Zoom was hacked, and people can control my computer! While this may not make anyone feel better, most software platforms have been hacked in one way or another and new bugs are found every day. This is actually one of the reasons I prefer more popular platforms, because these bugs are spotted more quickly, and the company has the resources to squash those bugs. I have used smaller platforms that I have generally loved, but ultimately ended up abandoning them because it took months to fix small issues and I began to seriously worry that they would not even know if they had been hacked.
 
So, does Zoom have any serious bugs? Absolutely, but fortunately you probably do not have to worry about them. The current issues they have been working to resolve include the ability to obtain higher access to your computer than you would wish IF a hacker was physically sitting at your computer and you logged them in (why would you do that?) or if you are sent a malicious link by a hacker you happen to be having a meeting with. The latter is a problem nearly every chat application has dealt with, including your text message app. I would simply suggest not chatting with hackers or letting them come into your house during social isolation. Problem solved!
 
The reality is that all software platforms experience these types of bugs. It is good that they are highlighted, because that is how they get fixed. The key is whether one would reasonably think these bugs pose a risk to patient privacy or safety, and they clearly do not.
 
I heard that Zoom Trolls are attacking our sessions! I wanted to leave this one for last, as it is a perfect example of sensational news and people not actually reading the article. So Zoom allows you to host large scale group meetings. People log into these meetings by following a shared link. You can make it that each attendee needs to be approved for entry, but when your meeting is hosting a 1000 people you usually turn that off. So a couple of groups have hosted these meetings AND publicly posted their invites for the meeting. Some jerks showed up and started saying offensive things. Some of those jerks were racists and the FBI, rightfully so, is investigating those individuals for hate crimes. Somehow this turned into articles about the FBI investigating Zoom, which is untrue and just silly to believe given the scenario. This would be the equivalent of a streaker running into a public park and the police coming in and arresting the sandbox. These Zoom troll stories are so laughable that they are not worth talking about any further.
 
So should I just install a platform like Zoom and not worry about it? Definitely not. You need to do some due diligence, but you need to do "reasonable" due diligence. You do not need to know about the differences between AES128 and AES256 encryption, but rather need to know that your communication is encrypted. You need to trust legitimate IT professionals or informed peers who have knowledge of technology AND health regulatory law. Ask them not if a platform has "no risk", but rather if it poses a "reasonable" risk to your patients.
 
You also need to act in a "reasonable" manner in how you use these platforms. I particularly like the different levels of security I can put in place on Zoom that are ironically rarely available on some of the more higher end telehealth solutions. Here is a list of settings and procedures you should put on right away:
 

1. Preferably create your Zoom account using a unique email address (e.g. business address instead of your personal email) that is not used on other online mediums that are common targets of hackers.
2. Create your Zoom account with a strong and unique password.
3. When setting a meeting topic, attempt to make it easy to identify your client, but maintain privacy where possible (e.g. Michael S Meeting vs. Michael Smith’s Psychotherapy Session).
4. When scheduling a meeting always select your “Meeting ID” to “Generate Automatically”. This will prevent all clients from having a common “link” or “Meeting ID” to attend sessions. It assists in avoiding other clients or individuals from accidentally (or intentionally) joining an ongoing session.
5. When scheduling a meeting either “Require [a] meeting password” that is unique to each client (you will not have to personally enter this when initiating a meeting) or login to the Zoom.us website to adjust additional preferences and activate ”Waiting Room”. The Waiting Room feature provides you a prompt to allow an individual to connect to the session once they have logged into the meeting.
6. Be mindful that if you select the “participants” video to be “on” when scheduling the appointment, it will activate by default when they connect to the meeting. While this has been flagged by some as a privacy concern, it appears reasonable that a client would presume their video would be activated on initiating a meeting. Activating this feature will minimize confusion on entry to the session.
7. Recognize that it will take a few moments for you and your clients audio to activate. Attempt to problem solve any audio connection concerns, but transition smoothly to an alternative means of communicating if barriers last for more than a few minutes (e.g. staying connected by video, but supplementing with a phone call).
8. Recognize when your client’s space is not amenable to confidential communication and try to facilitate alternative communication options if this emerges as a concern.
9. Accept that there will be challenges at times, but that patience and flexibility will allow for efficacious care to continue.

 
In the end, it is important for us to recognize that any concerns that have been flagged about telehealth solutions like Zoom are not unique to that platform. Just as important, we need to recognize that these problems do not appear to pose any meaningful risk to care or patient privacy. We need to stay informed about the solutions we use, but spreading unsubstantiated fears and misleading information does compromise care and THAT is the real risk here.
 
Readers who would like to learn more about the provision of care over telehealth are welcome to contact FLEX to join in on our telehealth webinar series. I would also encourage professionals to visit the Telebehavioral Health Institute website and sign up for their excellent newsletter. It provides free webinars periodically and offers reasonably priced intensive training on implementing ethical and efficacious telehealth solutions. I studied with this institute early in my telehealth journey and found it to be an excellent resource.