Skype

Skype & HIPAA Revisited

MARLENE MAHEU

June 30, 2013 | Reading Time: 3 Minutes
426

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Skype as an issue continues to intrigue many mental health professionals considering telepractice. Regardless of the many discussions of the evidence-base that legitimizes the use of technology in mental health, or of the new guidelines being promulgated by leading professional associations, or even whether you call it online therapy, distance counseling, telepsych or telemental health, the discussion most certainly will roll around to which video platform is optimal. Of course, the FREE and easy-to-install video chat programs are of special interest, simply because of those two features. If they happen to be encrypted, many professionals consider them good enough. The real question is whether or not those three factors are enough for us as mental health professionals.  While professionals in technology or engineering may better understand the security and reliability of Skype or any of the other programs in the VoIP class is easy to investigate online. Here are a few specific areas of concern that can currently be found with a simple Google search:

  • Skype is proprietary software, so the U.S. authorities do not have access to audit trails as required by HIPAA.
  • If we as practitioners are entrusted to protect the confidentiality or privacy of our patients, is it right for us to ask them to sign away that right in an informed consent document, particularly when Skype is very clear in its website that security flaws do exist? For example, privacy on the Skype website is protected by a name and password. We all know that hackers delight in developing ingenious techniques to uncover usernames and passwords. It has also been well documented that people on the Internet are lax in developing strong usernames and passwords, rather, they use names of their pets or their birthdays, much of which can be easily guessed by people who know them.
  • Skype also uses the history file that records all communication. Skype security flaws continue to surface, including as recently as November 14, 2012. You can read more about this at this TechSpot article. Encryption codes for Skype have also been called into question as recently as May 20, 2013. For details, see this Ars discussion.
  • Different parts of HIPAA specify different requirements. See this TBHI blog discussion for the 18 “identifiers” that are prohibited by the HIPAA Privacy Rule.

What Does HIPAA Say? Practitioners who are covered entities must assemble and document a risk management plan reflective of an accurate understanding of the risks.  How many of us are capable of doing that with respect to SKYPE?  Other vendors will do that for us if they advertise their technology as being HIPAA compliant. Many will give us a Business Associate Agreement, that is, a document acknowledging that they understand the risks and obligations under HIPAA, and accept those liabilities as our vendors. Furthermore, if vendors who claim HIPAA compliance have a security breach, they must notify us as per the HITECH Act. The patients we treat must also be notified.  Since SKYPE does not claim to have HIPAA compliance, how can these legal requirements be met? What about reliability? For those of us who use Skype on a regular basis, it is common knowledge that Skype can easily drop the call during any 30 to 45 minute conversation. While Skype’s reliability is improving steadily, what would happen if a distraught patient was repeatedly trying to communicate an important message to you, and the call were repeatedly disconnected? Are you responsible for what might happen? If you have had the patient sign a consent form outlining this possibility, do you think that consent would hold up in a court of law if a complication ensued? Your Options: Is Skype your best option when a number of free, HIPAA complaint alternatives exist? They not only claim HIPAA compliance, but also are willing to give you a Business Associate Agreement to help you be worry-free about the system you choose for delivering professional care? See the resource list below for where to find them. Resources:

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Vijay Sharma
Vijay Sharma
9 years ago

Very useful information!

Register for Free

Receive Any of Our 57 FREE Newsletters!

REGISTER

Most Popular Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...