There seems to be continued confusion about whether or not Skype is HIPAA compliant. Please allow me to post some of the additional requirements under HIPAA and let you consider if you are compliant when using Skype. First, there are the “rules” under HIPAA: transactions, security and privacy.
Some of our colleagues see the security rule and ignore the privacy rule. That privacy rule says that if any of the information below is exchanged by a covered entity and contains any of these 18 “identifiers” it needs to be “protected.” (To determine if you are a covered entity, see page 7 of HRSA’s “See page 7 from “Covered Entity Charts Guidance on how to determine whether an organization or individual is a covered entity under the Administrative Simplification provisions of HIPAA” from HRSA.)
See the list of 18 identifiers covered by HIPAA below, which comes from the Yale University website:
ePHI stands for Electronic Protected Health Information. It is any protected health information (PHI) which is stored, accessed, transmitted or received electronically. Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:
- The individual’s past, present or future physical or mental health.
- The provision of health care to the individual.
- The past, present or future payment for health care.
Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity.
Data are “individually identifiable” if they include any of the 18 types of identifiers, listed below, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:
- Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- * Any other characteristic that could uniquely identify the individual
Instead of removing the data, sometimes making the information more general is sufficient for de–identification; for example, replacing birth date with an age range.
See also the HIPAA policy on de–identification.
ePHI includes any medium used to store, access, transmit or receive PHI electronically.
* Personal Computers with their internal hard drives used at work, home, or traveling * External portable hard drives, including iPods * Magnetic tape or disks * Removable storage devices such as USB memory sticks/keys, CDs, DVDs, and floppy diskettes * PDA’s, smartphones * Electronic transmission includes data exchange (e.g., email or file transfer) via wireless, ethernet, modem, DSL or cable network connections.
As technology progresses, any new devices for accessing, transmitting, or receiving ePHI electronically will be covered by the HIPAA Security Rule.
Which standards does HIPAA impose?
HIPAA imposes the following standards on covered entities for the purpose of standardizing and protecting the use, disclosure and exchange of health information:
- Privacy standards, developed by the Department of Health and Human Services, that address the use and disclosure of health information, patient consent and authorization for the use of information, patient rights to review their health information, request edits and demand an accounting of disclosures of health information.
- Security standards for health information including administrative, technical and physical safeguards to ensure the integrity and confidentiality of health information and to protect against security breaches and unauthorized use or disclosure of health information.
- Standards for the transfer of information among health plans needed, for example, for the coordination of benefits, sequential processing of claims.
- Standards to enable electronic interchange. HIPAA calls for the adoption of standards for certain transactions and data elements, such as health claim status, eligibility for a health plan, health plan enrollment/disenrollment.
- Standards for code sets for the data elements for the transactions covered above.
- Standards for unique health identifiers for individuals, employers, health plans and health care providers.
- Standards for electronic signatures.
- Requirements related to notifying patients and DHHS in the event of a breach of PHI.