EMDR Articles
What is EMDR? Why EMDRremote.com? Why should I use a virtual lightbar? How are therapists trained in EMDR? How to get trained EMDR? Does virtual EMDR work? What is reprocessing? Why our BLS tool is preferred by many EMDR therapists How to choose the right video service How to use an external video service with EMDRremote.com About EMDRremote.com EMDRremote.com HIPAA Compliance
April 21st 2020 June 10th 2020
EMDRremote Launch
EMDRremote.com & HIPAA Compliance | EMDRremote.com

EMDRremote.com and HIPAA Compliance

If you use EMDRremote’s BLS lightbar and audio and choose Doxy.me as your teletherapy video service, it is HIPAA compliant and Doxy.me will provide you with a BAA.

If you use EMDRremote’s BLS lightbar and audio and choose EMDRremote’s Video Service as your teletherapy video service, it is HIPAA compliant in that it meets the “conduit exception”.

HIPAA Compliance - What HHS.gov requires and how EMDRremote.com complies:

According to HHS.gov (re: HIPAA):

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

According to the HHS.gov (re: conduit exception) :

The conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature.

According to the HHS.gov (re: BAA not needed when teletherapy meets conduit exception): :

A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.

In terms of teletherapy, the solution and security architecture must comply with the certain standards, implementation specifications and requirements with respect to electronic PHI of a covered entity. The general requirements of HIPAA Security Standards state that covered entities must:
  1. Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity creates, receives, maintains, or transmits.
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.
  4. Ensure compliance by its workforce.

How EMDRremote.com Enables HIPAA Compliance

In the course of providing services to our users (therapists and clients included), EMDRremote.com does not access PHI. Rather, for purposes of compliance with HIPAA, EMDRremote models its compliance under the “conduit exception” which applies to entities that transmit PHI but do not have access to the transmitted information. To fall within this exception, EMDRremote applies mandatory conference settings, which nearly eliminates a customer’s ability to transmit PHI to EMDRremote.

We do not have access to identifiable PHI and we protect and encrypt all audio, video, and screen sharing data.

The following list demonstrates how EMDRremote supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).
  1. We do not require clients to create an account or provide any identifiable information to join a session. Thus, we do not have access to any PHI.
  2. All meeting rooms are created with unique, randomly generated names as well as secured with a unique, randomly generated password at the time of creation.
  3. All meeting data is transmitted using industry standard encryption.
  4. If a third person enters a room, the meeting is instantly disbanded and all participants dropped from the call.
  5. Meetings are created on demand and cease to exist when both parties end the call. We do not use persistent meeting rooms.
  6. Created meetings are never displayed publicly, not even to the client. The client can only be invited to the call directly by the host.
  7. Host has complete control over the session and can end meetings as needed.
  8. Meetings default to peer-to-peer (P2P) connections by default. No data is transmitted to our servers after the initial connection request other than the data required to know that a call is taking place.
  9. Meeting data is never logged or stored by us, not even for quality purposes.

HIPAA Certification

Currently, the agencies that certify health technology – the Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology – do “not assume the task of certifying software and off-the-shelf products” (p. 8352 of the Security Rule), nor accredit independent agencies to do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as EMDRremote.com is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies.