Encryption, audio, video, text, client records…oh my!

We were asked by a student recently,

If telephone counselling exists pre-internet – does any of the jurisdiction/ethical stuff (encryption etc) apply?

There are two issues-

  1. How easy it is to intercept a live “call” whether audio or video
  2. How any recorded information such as chat transcripts or text is stored




The issue with Skype is 1. while audio and video is encrypted in transmission, there are still concerns about how easy Skype is to intercept.and 2.chat and some client information is retained on the Skype server. So anytime there is recorded client information (the “raw material”) then that information must be transmitted properly but also stored properly- because it is part of the client record.


With regard to phone- it has always been advised to use a land line phone whenever possible. That means a phone that is attached to the base and the base is plugged into the wall. Handheld land line phones that receive a signal from the base are easy to eavesdrop and that is the same with mobile phones.


With regard to text messaging, this is maintained on a server which is why it is advised that the messages should be kept to housekeeping issues only. The other issue becomes where the texts are stored and if you are using a mobile phone from vodafone or verizon for example, those text messages are maintained on their servers, and are essentially the phone company’s record, not yours. There are some encrypted text message programs such as BlackBerry Enterprise that allow the organization to encrypt texts and store them on the organizations private server and there are other encrypted and HIPAA compliant text messaging services such as ProtectedSMS or medxcom.


So in summary, there are two issues


  1. How easy is it to intercept a live call, whether audio or video
  2. If utlizing text-based communication along with the live call, where it the recorded verbatim chat stored, how is it stored and who owns the record?


The issue with Skype is that even if in a perfect world, the encryption is state of the art, HIPAA requires that if a client record is stored on 3rd party server, that 3rd party has to agree to sign a HIPAA Business Associate Agreement. Since Skype won’t do that the counselor is left with no contract or agreement in place that says skype is safeguarding the client information for the therapist who retains ownership of the record.

Jurisdiction issues are murky at best and it is advised that each practitioner check within their own geographic region and that of their client’s to ensure no laws restrict the practice of therapy via distance.

I hope this has cleared up confusion, or at least has made the issue clear as mud!