Is Skype® HIPAA Compliant?
Given the growing interest in video conferencing services for communicating with patients online, healthcare organizations often come to Bridge Patient Portal with questions about the use of Skype® for telemedicine, and whether the software meets HIPAA compliance standards. Though HIPAA doesn’t specifically mention the types of technologies that healthcare providers can use for video conferencing, there are three key issues to consider.
Skype® uses AES 256-bit encryption to secure the different channels of communication that take place on the platform (chat sessions, voice calls and video calls). This level of encryption exceeds federal guidelines for transmitting protected health information (PHI), which set the minimum level of encryption as 128-bit. However, this is not the only factor to consider in determining HIPAA compliance.
2. The Business Associate Agreement
One of the most compelling reasons against the use of Skype® for healthcare provider-patient communication is that Skype® will not enter into a business associate agreement (BAA). A BAA is required under the HIPAA Omnibus Rule for any entity that creates, receives, maintains or transmits PHI on behalf of a healthcare provider, health plan or healthcare clearinghouse.
There are some debates as to whether Skype® qualifies as a HIPAA business associate due to the “mere conduit” rule, which states that a company is exempt from being a business associate if:
– It only transmits PHI in encrypted format
– It never has access to the encryption key
The problem with Skype® is that, while the company states that it does not have access to the PHI that it transmits, it has been known to provide information to law enforcement. This means that it has access to the encryption key and is, therefore, considered a business associate.
Another factor to keep in mind is that the Omnibus Rule requires business associates to provide “satisfactory assurances” that PHI will be protected as required by HIPAA rules. However, Skype®does not state anywhere that its services can be used in a HIPAA-compliant way.
3. Audits and Breaches
The HIPAA Security Rule requires covered entities to use technologies that include audit controls by “implement[ing] hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Unfortunately, Skype® does not offer audit control tools for monitoring who has access to PHI, nor does it provide notifications in the event of a breach.
The Verdict: Is Skype® HIPAA Compliant?
While Skype’s® encryption methods are strong, overall it does not meet HIPAA compliance standards. Organizations that use the software to communicate with patients over the internet should be aware of the risks involved and consider using specialized, HIPAA-compliant video conferencing platforms instead. If the patient has a preference for using Skype®, be sure that there is record of the patient’s acceptance to use non-HIPAA compliant technologies.
HIPAA-Compliant Skype® Telemedicine Alternatives Do Exist
There are alternative options for video conferencing. Cisco, for example, offers HIPAA compliant video conferencing solutions for healthcare, as do a number of specialized telemedicine software/hardware vendors. The challenge with all of these systems is the cost and complexity of implementing the technology with patients, and the learning curve for patients in beginning to use software that they are more than likely unfamiliar with.
For consultations that do not require video, Bridge Patient Portal offers a HIPAA-compliant e-consultation platform. Bridge allows for two types of secure communication between patients and physicians: secure messaging and telephone calls, including integrated VoIP calling. Bridge provides a business associate agreement to the covered entities that they work with, and continuously monitors regulatory requirements to ensure compliance. Bridge Patient Portal can also be integrated with a variety of 3rd party video conferencing solutions, facilitating pre-consultation communication, billing and intake.
Does your organization offer e-consultations? Let Bridge know which software you use and how your experience has been thus far.
To learn more about HIPAA and email/sms communication read our article: The Facts about HIPAA and Email/SMS Communication with Patients
To learn more about HIPAA and healthcare applications please read our three part article series:
- HIPAA and Healthcare Applications, Part 1 of 3: What You Need to Know About User Authentication
- HIPAA and Healthcare Applications, Part 2 of 3: What You Need to Know About Auditing
- HIPAA and Healthcare Applications, Part 3 of 3: What You Need to Know About Data Transfer