As stated in an earlier blog post, it’s almost impossible to know for sure if Skype is HIPAA compliant for these reasons:
- Skype is proprietary software, so we do not have ready access to behind-the-scenes information.
- HIPAA was intentionally written as a document that is meant to evolve as technology evolves.
- HIPAA consists of three “rules.” They are complementary, but often confusing. They include the transactional rule, the security rule, and the privacy rule. Many professionals are only aware of one of these rules. Before practicing online, good legal advice is warranted.
We then, are trying to delineate a yes/no answer that involves two factors that are impossible to quantify.
“On the Internet you have no privacy, get over it .” (CEO of Cisco Systems)
Skype is unavailable for scrutiny by the Internet community because it is proprietary. The fact that is owned by eBay could give many health care practitioners significant pause. EBay has a long history of cooperating with law enforcement agencies that want to access information about specific users.
Practitioners are usually cognizant of the fact that we are the guardians of confidentiality or privilege for our patients. Nonetheless, the fact that a patient is willing to sign a website disclaimer does not relieve us of our duty to protect the confidentiality and privilege of our patients, who have entrusted us to protect their best interest. However paternalistic this may sound, it is the way health care is delivered in this country.
Perfect paranoia is perfect awareness – Stephen King
HIPAA was first enacted in 1996. It regulated many areas that had previously been left to the individual judgment of practitioners. Because it involved technologies that were as yet not built as well as not yet conceived, it had to be written in a way that left room for innovation. The wording of many provisions was intentionally vague. For instance, in one part of the document it states that the required encryption level is 128 bits. This has led to a lot of confusion, particularly when people go to websites such asSkype’s and find that the encryption code that Skype boasts is 256 bits. Is it all that simple?
The real question for us is professionals is, “What else might come into play?” If they are not willing to document their fitness for healthcare delivery in terms of HIPAA compliance as other vendors have done for years in the telemedicine world, are we safe as healthcare practitioners to be using their technology for patient contact?
Here are a few specific areas of concern:
- Are practitioners responsible if Skype has a security breach that compromises the confidentiality of the patient during a session? For this answer, it’s important to look at the rest of HIPAA’s requirements. A “covered entity” must assemble and document a risk management plan reflective of an accurate understanding of the risks. How many of us are capable of doing that with respect to Skype? Other vendors will do that for us if they advertise their technology as being “HIPAA compliant.” Furthermore, if vendors who claim HIPAA compliance have a security breach, they must notify us under HITECH Law. Since Skype does not claim to have HIPAA compliance how are we to know if a breach occurs?
- The remaining question then, as I detailed in an earlier post, is if we as practitioners are entrusted to protect the confidentiality or privacy of our patients, is it right for us to ask them to sign away that right, particularly when Skype is very clear in its website thatsecurity flaws do exist.
- Privacy for example on the Skype website is protected by a name and password. We all know that hackers delight in developing ingenious techniques to uncover usernames and passwords. It has also been well documented that people on the Internet are lax in developing strong usernames and passwords, rather, they use names of their pets or their birthdays, much of which can be easily guessed by people who know them.
- Skype also uses the history file that records all communication. In October of 2005 a pair of security flaws reportedly were discovered, making it possible for hackers touse hostile code on some computers running a compromised version of Skype. What’s to prevent this from happening with our patients?
- What about reliability? For those of us who use Skype on a regular basis, it’s common knowledge that Skype can easily drop a call two or three times during any 30 to 45 minute conversation. What would happen if a distraught patient were trying to communicate an important message to you, and the call were to get repeatedly disconnected? Are you responsible for what might happen? Are you responsible for the frustration potentially generated in that patient? If you have had the patient sign a consent form outlining this possibility, do you think that consent would hold up in a court of law?
- Different parts of HIPAA specify different requirements. For the 18 “identifiers” that are prohibited in any technology-based exchange that is not documented as fully protected for PHI, see here. Those are my views. Please comment below if you either agree or disagree.