Categories: Privacy and Security, Telehealth and Telemedicine

Is Skype HIPAA-compliant? This is probably the question I get asked the most. For the sake of this post, I am using the term Skype to include Skype and similar free web-based communication platforms relying on proprietary voice over Internet technology.

As with so many things, the answer is complicated. But the question itself is misleading. Many vendors and manufacturers market their technology and products using terms such as “HIPAA compliant.”

However, products or technology cannot themselves be “HIPAA-compliant.” Hospitals, providers, and other covered entities are the ones who are either “HIPAA-compliant” or not. In other words, it is providers and practitioners that need to be “HIPAA-compliant” not products or technology. Covered entities do need to ensure that any technology or products they use be compatible with HIPAA standards so that they, as covered entities, can comply with their HIPAA obligations.

So, the real question should be whether Skype or similar platforms are compatible with HIPAA standards. And the use of Skype raises many HIPAA issues:

  • Many platforms are proprietary
  • Cannot reliably develop and verify an audit trail
  • May not know when a breach of information occurs
  • No way to verify  transmission security
  • Lack of integrity controls

Among other things, the HIPAA rules require:

  • Access control
  • Audit controls
  • Person or entity authentication
  • Transmission security
  • Business Associate access controls
  • Risk analysis
  • Workstation security
  • Device and media controls
  • Security management process
  • Breach notification

The use of web-based platforms, especially those that are proprietary, may make it difficult for health care entities to meet some of these obligations. At the very least, I think that use of web-based platforms for patient communication carries higher risk of potentially violating HIPAA rules. And this is becoming increasingly important with all of the heightened HIPAA enforcement activity we have been seeing.

The Health Information and Trust Alliance and other organizations generally recommend against the use of Skype and similar platforms for communications involving health information. All of this does not mean a telepsychiatrist or other professional should not use Skype to communicate to patients—only that they be aware of the increased risk. There are some things I would recommend providers consider to better protect themselves from potential HIPAA liability:

  • Request audit, breach notification, and other information from companies
  • Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms
  • Develop specific procedures regarding use of Skype, similar platforms (interrupted transmissions, backups, etc.)
  • Train workforce on the use of these platforms
  • Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV)
  • Limit to certain clinical uses (i.e., only intake or follow up)
  • Use secure platforms with audit trail, breach notification, other capabilities

Ultimately, my view is that providers proceed with great caution when using Skype or similar platforms. The beauty of Skype is that it is free. Of course, it is always better to use fully encrypted and more secure technology when dealing with patients. But I realize that is not always an option given costs and logistics. So, if providers choose to use Skype, they may want to start by considering some of my recommendations.

Tags: breach, HIPAA, HIPAA-compliant, platforms, Providers, risk, Security, skype, trail, web-based
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.