Skype & its Appeal Video conferencing, or what is often called Interactive Audio-Visual Technology (IATV), is one of the most popular forms of communication in the 21st century. As is obvious from its popularity, Skype™ and other similar technologies (see, for example, ooVoo™ at www.ooVoo.com) offer great convenience in communicating with others across distances. For a general article on videoconferencing, IATV, and TeleMental Health, click here. Skype is one of the most popular sites on the Web. It is a form of IATV, which is free (when used between devises which have access to the Internet) and readily available. It provides users the opportunity to communicate on their computers or similar devices, such as smart phones and iPads, with ease and for free. Skype offers audio and video communication to those with the needed computer hardware (a video camera and microphone) and who download the needed software to their computer from the Skype website at www.skype.com. The download is free but must be downloaded and installed to the computers of all individuals who want to communicate using it. Additionally, Skype™ also offers a business version for a monthly fee, which allows for audio-visual conference calls. Besides the ease of use and the fact that it is free, one of the main appeals of Skype is the fact that clients are familiar with it and many of them already use it and like it. This fact is highly important as has been shown with use of emails in therapy. Therapists often encounter resistance from clients to sign up to new email services so they can talk to their psychotherapists. In summary, the appeals of using Skype in TeleMentalHealth, E-Counseling, or E-Therapy are: Familiarity Positive experience Easy and simple access The fact that it is free Then the concerns about using Skype in Telehealth (to be described below) primarily focus on: Confidentiality and privacy HIPAA compliance Dropped calls and other potential interruption of communication General Considerations with utilization of Skype in TeleMentalHealth As with any technology, there are a number of concerns that have been associated with the use of IATV in Telehealth and TeleMentalHealth. These issues include confidentiality and privacy, monitoring access, crossing state lines, informed consent, competence and scope of practice, and record keeping. To review a summary discussion of these issues, click here. Prior to using Skype in TeleMentalHealth, clinicians must analyze these considerations as they apply to Skype. More specifically to Skype, in addition to the above-mentioned concerns, clinicians must evaluate whether Skype is HIPAA Compliant and attend to the concerns of dropped calls and the interruption of service. Skype and HIPAA Compliance In order to evaluate whether Skype is HIPAA compliant or not, one must look at three issues: Encryption, Business Associate, and HITECH Act of 2011. Encryption: When it comes to HIPAA compliance, Skype utilizes the AES encryption protocol, which meets the Federal Information Processing Standards (FIPS) for electronic transmission under HIPAA. Skype has implemented a variety of physical, technical and administrative safeguards, including encryption techniques, which protect or can protect the confidentiality and security of the Protected Health Information (PHI) that may be transmitted using Skype's calling and video calling products. A minimal level of encryption, often spoken of by knowledgeable professionals, is 128-bit encryption. Skype's 256-bit encryption technique meets this requirement. It must be noted that HIPAA intentionally placed vague requirements on encryption, as it is committed to be technologically neutral. Jason Zack, in his column Does HIPAA Require that Communication with Clients/Patients be Encrypted? states that HIPAA does not necessarily require encryption, but practitioners should take reasonable efforts to guard against unauthorized access to electronic PHI. Obvious, encryption is one of the most used ways to safeguard against unauthorized access into confidential digital records. Additionally, HIPAA doesn't certify software as being HIPAA compliant or not. Instead, various companies claim HIPAA compliance. Several experts noted that it is harder to hack into Skype than into most telephone lines or brick and mortar offices and file cabinets. One must remember that hacking into Skype requires high expertise and skills. Hacking into Skype is much harder than simpler, low-tech and cheaper technologies, such as hidden recording devices in one's therapy office, electromagnetic emission keystroke loggers, etc. Note: As will be discussed below, some experts have noted that while Skype does meet the HIPAA encryption requirement, it is still not HIPAA compliant due two additional factors: 1. Skype does not state on its website that it is HIPAA compliant, and 2. Skype does not offer Business Associate contracts to therapists or clinics, which use it for TeleMentalHealth purposes. Business Associate: The second consideration that practitioners must take into account is the issue of the Business Associate. By law, the HIPAA Privacy Rule applies only to covered entities, such as health plan mental health care providers. However, many health care providers and health plans do not carry out all of their health care activities and functions by themselves. They often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these "business associates" if the providers or plans obtain assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity and will safeguard the information from misuse. Covered entities may disclose protected health information to such entities, in its role as a business associate, only to help the covered entity carry out its health care functions. HIPAA mandates that practitioners must engage in a HIPAA Business Associate Agreement with such entities or 3rd parties, which makes the 3rd party HIPAA compliant. Commercial companies, such as Breakthrough.com, position themselves clearly as different than Skype and other free video conferencing companies. They state on their website, "Breakthrough.com will sign a Business Associate Agreement with mental health professionals, a best practice for complying with HIPAA." HITECH Act of 2011: On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). This new provision expands the duties of business associates, which may require amendments to business associate agreements. Business Associates and Covered Entities alike now have direct responsibility and liability for breaches of 'unsecured' protected health information; the maximum penalty for non-compliance increases to $1.5 million/year; Business Associates that violate HIPAA Privacy & Security can now face criminal and civil penalties. Individuals can be prosecuted; Business Associates must comply with HIPAA Security in the same manner as a Covered Entity; HHS Secretary is required to do periodic audits of Covered Entities and Business Associates to ensure compliance. The HITECH Act of 2011 added more ways to enforce HIPPA and added more regulations and penalties. These new regulations have added importance to the Business Associate contract. Several experts cited HITECH Act to raise a concern Skype has problems because it doesn't provide a protocol for trail audits or breach notification. Trail audits are a means of logging information to keep records about a video call, i.e., what and when. Breach notification relates to when data was accessed by unauthorized people or even an attempt to gain access to the video call. Outfits supposed to notify the government when a breach or breach attempt occurs, Skype doesn't have that mechanism. The questions that is brought up in response to these concerns is what is the difference between conducting a phone session with a client, knowing that neither Verzon nor AT&R have the mechanism to provide protocol for trail audits or beach notification. The Debate on Skype and HIPAA The significance of the new regulations to the debate about the use of Skype or some other videoconferencing platforms has been articulated by Jay Ostrowski, MA, LPC, who has commented: The issue I have with Skype is similar to that of Gotomeeting, Adobe connect and other videoconferencing solutions. All of them taut their encryption, but HIPAA and HITECH compliance is much more than encryption. For the past year and a half I have been working to create a statewide online counseling center, sponsored by a state (the first one). In order to be HIPAA and HITECH compliant, there needs to be a Business Associate Agreement with the technology company, protocols to limit and track access to protected health information. If asked, the technology companies need to produce logbooks of who had access to PHI and why. If there is a breach of security and any of this PHI is leaked, these companies are supposed to notify the covered entities (the counselors). Thus far, none of these companies are willing to do this. HITECH expanded the definition to include IP addresses and even zip codes in more rural areas. These technology companies do collect and store this information for covered entities and these covered entities are open to serious liability, at $10k per violation. I have spoken with these technology companies and they are not willing to sign a BAA and comply with the HIPAA/HITECH protocols. (For source, click here) In another blog, Michael Day Williams, MS, NCC, also from Breakthrough.com, has posted in 2011 regarding the question of Skype and HIPAA compliance: Three, using a vendor whose terms explicitly grant permission for data to be shared with other entities: "In order to provide you with Skype products you have requested, Skype may sometimes, if necessary, share your personal and traffic data with Skype's group companies, carriers, partner service providers and/or agents, for example the PSTN-VoIP gateway provider, wi-fi access services providers, distributors of Skype software and/or Skype products, and/or the third party banking organizations or other providers of payment, email delivery, analytical services, customer support, or hosting services. Skype will always require these third parties to take appropriate organizational and technical measures to protect your personal data and traffic data and to observe the relevant legislation." See http://www.skype.com/intl/en-us/legal/privacy/general/ (for source, click here) The Online Therapy Institute posted the following regarding the question of Skype and HIPAA Compliance Breakthrough http://www.breakthrough.com recently received a written statement from a Skype representative and with Breakthrough's permission I am sharing this information. Skype is not a business associate subject to HIPAA nor have we entered into any contractual arrangements with covered entities to create HIPAA compliant privacy and security obligations. Instead, Skype is merely a conduit for transporting information, much like the electronic equivalent of the US Postal Service or a private courier. Skype does not use or access the protected health information (PHI) transmitted using our software. However, Skype has implemented a variety of physical, technical and administrative safeguards (including encryption techniques) aimed at protecting the confidentiality and security of the PHI that may be transmitted using Skype's calling and video calling products. ~ Harvey Grasty (For source, click here) A few experts have raised the question are Skype and other commercial video conferencing any different from cell phone companies? Skype may not be a viable alternative to carry telehealth operations, as it does not offer practitioners a Business Associate Agreement. Unlike some other video-conferencing providers, Skype does not offer an option of becoming a Business Associate in accordance to HIPAA law. One could argue though, that psychotherapists do not have a HIPAA Business Associate Agreement with their phone company, such as Verizon or AT&T, when they talk to clients on the phone in between f2f sessions or as part of Telehealth practice. Similarly, psychotherapists, counselors and social workers do not have business associate agreements with the US Postal Service or UPS. AdventureInTherapy.com has posted an interesting blog on the topic: Skype and modern cell phones use the same basic protocol to communicate (packet switching), but basically what happens is that when you make a call, Skype or your cell phone operator sets up a connection between you and the person you are calling and then steps out of the way, leaving you and that person to talk as if you had your own circuit. Both Skype and cell phones encrypt the data they send. If anything, the AES encryption method used by Skype is probably more secure than the 30-year old A5/1 encryption method used in most cell phones. AES is approved by the government for top-secret information while A5/1 has already been partially broken. (For source, click here) Some of the arguments about Skype security are reminiscent of the discussions in the 1990s regarding concerns with cell phone privacy and dropped calls. Clinical Consideration with Use of Skype in TeleMentalHealth Another concern that has been raised by some experts is the concern with dropped calls or when video freezes. Of course, this has to do with the quality and speed of the Internet connection. The concern is that for some clients who are in crisis or in the midst of a panic attack, dropped calls can be highly disruptive. Clinicians must take into consideration that such calls may be dropped and evaluate how it may affect their clients. They should assess whether these technologies suit certain clients, with certain mental disorders or conditions, in certain settings. Some of the advantages of commercial businesses that use different audio conferencing technologies are that they may be more reliable and also have technical support to help if video conferencing connections cannot be maintained. Summary Following is a brief summary of some of the points outlined in the above article: HIPAA aspires to be technologically neutral. It does not require encryption. It requires practitioners to take reasonable efforts to guard against unauthorized access to electronic PHI.  Skype generally matches government encryption practices. Skype relies on the same type and level of encryption used by the United States government to protect confidential information. HIPAA doesn’t certify software as being HIPAA compliant or not. Instead, various companies claim HIPAA compliance. Skype does not state on its website that it is HIPAA compliant. Skype does not offer Business Associate contracts to therapists or clinics, which use it for TeleMentalHealth purposes. HIPAA requires Business Associates to sign an agreement with Covered Entities if they are handling confidential information. The HITECH Act of 2011 added more ways to enforce HIPPA and added more regulations and penalties that have added importance to the Business Associate contract. Many experts emphasize the importance of using readily available (for fee) commercial video-conferencing systems that provide higher security and reliability than Skype's technical support, and that do sign a HIPAA Business Associate agreement with the therapists. Psychotherapists and counselors do not have a HIPAA Business Associate Agreement with their landline phone company or cell phone company, such as Verizon or AT&T, when they talk to clients on the phone between f2f sessions or as part of Telehealth practice. Similarly, psychotherapists, counselors and social workers do not have business associate agreements with the US Postal Service or UPS, even though they regularly use them to mail confidential information. Dropped calls and lack of technical support may result in interruption of service and disruption of the clinical exchange, which can be significant in some settings with some clients. There are no precedents or case law regarding the use if Skype in Telehealth or TeleMentalHealth. Psychotherapists must make informed and educated decisions and conduct a thorough risk-benefit analysis when deciding what technologies they utilize in their TeleMentalHealth, E-Counseling or E-Therapy practices, and whether to us Skype or not.

Share this:

Follow us on: