- Skype is proprietary software, so the U.S. authorities do not have access to audit trails as required by HIPAA.
- If we as practitioners are entrusted to protect the confidentiality or privacy of our patients, is it right for us to ask them to sign away that right in an informed consent document, particularly when Skype is very clear in its website that security flaws do exist? For example, privacy on the Skype website is protected by a name and password. We all know that hackers delight in developing ingenious techniques to uncover usernames and passwords. It has also been well documented that people on the Internet are lax in developing strong usernames and passwords, rather, they use names of their pets or their birthdays, much of which can be easily guessed by people who know them.
- Skype also uses the history file that records all communication. Skype security flaws continue to surface, including as recently as November 14, 2012. You can read more about this at this TechSpot article. Encryption codes for Skype have also been called into question as recently as May 20, 2013. For details, see this Ars discussion.
- Different parts of HIPAA specify different requirements. See this TBHI blog discussion for the 18 “identifiers” that are prohibited by the HIPAA Privacy Rule.
What Does HIPAA Say? Practitioners who are covered entities must assemble and document a risk management plan reflective of an accurate understanding of the risks. How many of us are capable of doing that with respect to SKYPE? Other vendors will do that for us if they advertise their technology as being HIPAA compliant. Many will give us a Business Associate Agreement, that is, a document acknowledging that they understand the risks and obligations under HIPAA, and accept those liabilities as our vendors. Furthermore, if vendors who claim HIPAA compliance have a security breach, they must notify us as per the HITECH Act. The patients we treat must also be notified. Since SKYPE does not claim to have HIPAA compliance, how can these legal requirements be met? What about reliability? For those of us who use Skype on a regular basis, it is common knowledge that Skype can easily drop the call during any 30 to 45 minute conversation. While Skype’s reliability is improving steadily, what would happen if a distraught patient was repeatedly trying to communicate an important message to you, and the call were repeatedly disconnected? Are you responsible for what might happen? If you have had the patient sign a consent form outlining this possibility, do you think that consent would hold up in a court of law if a complication ensued? Your Options: Is Skype your best option when a number of free, HIPAA complaint alternatives exist? They not only claim HIPAA compliance, but also are willing to give you a Business Associate Agreement to help you be worry-free about the system you choose for delivering professional care? See the resource list below for where to find them. Resources:
- Want to learn more about the HIPAA Privacy & Security Rules? OCR has established a listserv to inform the public about health information privacy and security FAQs, guidance, and technical assistance materials. We encourage you to sign up and stay informed.
- For a more thorough discussion of Skype, see The Perils of Using Skype, Psychiatric Times, March, 2013. (Registration is required, but worth it.)
- For a list of over 50 free and low-cost video platforms claiming HIPAA compliance, including two free video teleconferencing platforms, see this Telebehavioral Health Institute webpage.
- For a free webinar focused on these issues, join us and ask your questions during a 1-hour discussion at the Telebehavioral Health Institute Digital Training Center. Register here.
- For a 1 CE course with digital download and transcript, see To Skype or Not to Skype.
Your comments are invited below.