Is Skype HIPAA-compliant? This is probably the question I get asked the most. For the sake of this post, I am using the term Skype to include Skype and similar free web-based communication platforms relying on proprietary voice over Internet technology.
As with so many things, the answer is complicated. But the question itself is misleading. Many vendors and manufacturers market their technology and products using terms such as “HIPAA compliant.”
However, products or technology cannot themselves be “HIPAA-compliant.” Hospitals, providers, and other covered entities are the ones who are either “HIPAA-compliant” or not. In other words, it is providers and practitioners that need to be “HIPAA-compliant” not products or technology. Covered entities do need to ensure that any technology or products they use be compatible with HIPAA standards so that they, as covered entities, can comply with their HIPAA obligations.
So, the real question should be whether Skype or similar platforms are compatible with HIPAA standards. And the use of Skype raises many HIPAA issues:
- Many platforms are proprietary
- Cannot reliably develop and verify an audit trail
- May not know when a breach of information occurs
- No way to verify transmission security
- Lack of integrity controls
Among other things, the HIPAA rules require:
- Access control
- Audit controls
- Person or entity authentication
- Transmission security
- Business Associate access controls
- Risk analysis
- Workstation security
- Device and media controls
- Security management process
- Breach notification
The use of web-based platforms, especially those that are proprietary, may make it difficult for health care entities to meet some of these obligations. At the very least, I think that use of web-based platforms for patient communication carries higher risk of potentially violating HIPAA rules. And this is becoming increasingly important with all of the heightened HIPAA enforcement activity we have been seeing.
The Health Information and Trust Alliance and other organizations generally recommend against the use of Skype and similar platforms for communications involving health information. All of this does not mean a telepsychiatrist or other professional should not use Skype to communicate to patients—only that they be aware of the increased risk. There are some things I would recommend providers consider to better protect themselves from potential HIPAA liability:
- Request audit, breach notification, and other information from companies
- Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms
- Develop specific procedures regarding use of Skype, similar platforms (interrupted transmissions, backups, etc.)
- Train workforce on the use of these platforms
- Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV)
- Limit to certain clinical uses (i.e., only intake or follow up)
- Use secure platforms with audit trail, breach notification, other capabilities
Ultimately, my view is that providers proceed with great caution when using Skype or similar platforms. The beauty of Skype is that it is free. Of course, it is always better to use fully encrypted and more secure technology when dealing with patients. But I realize that is not always an option given costs and logistics. So, if providers choose to use Skype, they may want to start by considering some of my recommendations.