Is Skype® HIPAA Compliant?

5 / 5 (5 votes)

Given the growing interest in video conferencing services for communicating with patients online, healthcare organizations often come to Bridge Patient Portal with questions about the use of Skype® for telemedicine, and whether the software meets HIPAA compliance standards. Though HIPAA doesn’t specifically mention the types of technologies that healthcare providers can use for video conferencing, there are three key issues to consider.

1. Encryption

Skype® uses AES 256-bit encryption to secure the different channels of communication that take place on the platform (chat sessions, voice calls and video calls). This level of encryption exceeds federal guidelines for transmitting protected health information (PHI), which set the minimum level of encryption as 128-bit. However, this is not the only factor to consider in determining HIPAA compliance.

2. The Business Associate Agreement

One of the most compelling reasons against the use of Skype® for healthcare provider-patient communication is that Skype® will not enter into a business associate agreement (BAA). A BAA is required under the HIPAA Omnibus Rule for any entity that creates, receives, maintains or transmits PHI on behalf of a healthcare provider, health plan or healthcare clearinghouse.

There are some debates as to whether Skype® qualifies as a HIPAA business associate due to the “mere conduit” rule, which states that a company is exempt from being a business associate if:

– It only transmits PHI in encrypted format

AND

– It never has access to the encryption key

The problem with Skype® is that, while the company states that it does not have access to the PHI that it transmits, it has been known to provide information to law enforcement. This means that it has access to the encryption key and is, therefore, considered a business associate.

Another factor to keep in mind is that the Omnibus Rule requires business associates to provide “satisfactory assurances” that PHI will be protected as required by HIPAA rules. However, Skype®does not state anywhere that its services can be used in a HIPAA-compliant way.

3. Audits and Breaches

The HIPAA Security Rule requires covered entities to use technologies that include audit controls by “implement[ing] hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Unfortunately, Skype® does not offer audit control tools for monitoring who has access to PHI, nor does it provide notifications in the event of a breach.

The Verdict: Is Skype® HIPAA Compliant?

While Skype’s® encryption methods are strong, overall it does not meet HIPAA compliance standards. Organizations that use the software to communicate with patients over the internet should be aware of the risks involved and consider using specialized, HIPAA-compliant video conferencing platforms instead. If the patient has a preference for using Skype®, be sure that there is record of the patient’s acceptance to use non-HIPAA compliant technologies.

HIPAA-Compliant Skype® Telemedicine Alternatives Do Exist

There are alternative options for video conferencing. Cisco, for example, offers HIPAA compliant video conferencing solutions for healthcare, as do a number of specialized telemedicine software/hardware vendors. The challenge with all of these systems is the cost and complexity of implementing the technology with patients, and the learning curve for patients in beginning to use software that they are more than likely unfamiliar with.

For consultations that do not require video, Bridge Patient Portal offers a HIPAA-compliant e-consultation platform. Bridge allows for two types of secure communication between patients and physicians: secure messaging and telephone calls, including integrated VoIP calling. Bridge provides a business associate agreement to the covered entities that they work with, and continuously monitors regulatory requirements to ensure compliance. Bridge Patient Portal can also be integrated with a variety of 3rd party video conferencing solutions, facilitating pre-consultation communication, billing and intake.

Does your organization offer e-consultations? Let Bridge know which software you use and how your experience has been thus far.

To learn more about HIPAA and email/sms communication read our article: The Facts about HIPAA and Email/SMS Communication with Patients

To learn more about HIPAA and healthcare applications please read our three part article series:

(Visited 2,340 times, 1 visits today)

About 

Archer Lyle is Bridge Patient Portal's Chief Operations Officer. She specializes in patient engagement and electronic healthcare communications.

    Find more about me on:
  • linkedin
No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


*

Find us on social media