Reviewing the Debate on Skype & HIPAA Compliance and
Introducing the Alternative Option
By Ofer Zur, Ph.D.
Table Of Contents
Skype & Its Appeal
General Considerations with utilization of Skype in TeleMental Health
Skype and HIPAA Compliance: Encryption, Business Associate, HITECH
Security Issues with Skype & Other Video-conferencing Technologies
While Skype is popular, familial, free, and is encrypted, the bottom line is – it is not HIPAA compliant and does not notify clinicians when breaches occur. As of January 2016, Skype does not provide a BAA. Most experts agree that if a video conferencing company does not offer a BAA, it is not in compliance with HIPAA. Check with VSee.com, Doxy.me, and other video-conferencing companies to see if they provide a BAA for free and, if not, what the cost would be for a BAA. You can also find an extensive comprehensive list of options with side-by-side comparisons at http://www.telementalhealthcomparisons.com.
Video conferencing, or what is often called Interactive Audio-Visual Technology (IAVT), is one of the most popular forms of communication in the 21st century. As is obvious from its popularity, Skype™ and other similar technologies (see, for example, VSee.com or Doxy.me) offer great convenience in communicating with others across distances.
Skype is one of the most popular software service on the Web. It is a form of IAVT, which is free (when used between devices which have access to the Internet) and readily available. It provides users the opportunity to communicate on their computers or similar devices, such as smartphones and iPads, with ease and for free. Skype offers audio and video communication to those with the needed computer hardware (a video camera and microphone) and who download the needed software to their computer from the Skype website. The download is free but must be downloaded and installed to the computers of all individuals who want to communicate using it. Additionally, Skype™ also offers a business version for a monthly fee, which allows for audio-visual conference calls.
Besides the ease of use and the fact that it is free, one of the main appeals of Skype is the fact that clients are familiar with it and many of them already use it and like it. This fact is highly important as has been shown with use of emails in therapy. Therapists often encounter resistance from clients to sign up to new email services so they can talk to their psychotherapists.
In summary, the appeals of using Skype in TeleMental Health, E-Counseling, or E-Therapy are:
- Positive experience
- Easy and simple access
- The fact that it is free
Then the concerns about using Skype in TeleMental Health (to be described below) primarily focus on:
- Confidentiality and privacy
- HIPAA compliance
- Dropped calls and other potential interruption of communication
General Considerations with Utilization of Skype in TeleMental Health
As with any technology, there are a number of concerns that have been associated with the use of IAVT in Telehealth and TeleMental Health. These issues include confidentiality and privacy, monitoring access, crossing state lines, informed consent, competence and scope of practice, and record keeping. A summary discussion of these issues. Prior to using Skype in TeleMental Health, clinicians must analyze these considerations as they apply to Skype. More specifically to Skype, in addition to the above-mentioned concerns, clinicians must evaluate whether they can use Skype and be HIPAA Compliant, and they must attend to the concerns of dropped calls and the interruption of service.
Skype and HIPAA Compliance: Encryption, Business Associate, HITECH
In order to evaluate whether Skype is HIPAA compliant or not, one must look at three issues: Encryption, Business Associate, and HITECH Act of 2011.
Encryption: When it comes to HIPAA compliance, Skype utilizes the AES encryption, which is one of the federal government’s Federal Information Processing Standards (FIPS). A different FIPS standard, cleverly named FIPS 140, is a set of guidelines defining how software that provides encryption should go about making security happen. AES is part of the FIPS 140 standard, but is not the whole of it. In other words, by using AES-style encryption, Skype meets an important part of the federal government’s standard for encryption, but not all of it. Since federal agencies are required to meet all of these standards in their operations, a federal agency — such as the VA — would not be permitted to use Skype for telemental health. Adhering to the whole FIPS 140 standard is not a requirement for HIPAA compliance, however. The rest of us who do not work for the federal government are required simply to use “technical security measures” that reduce risks of confidentiality breach to “reasonable and appropriate” levels. Adhering to the FIPS 140 standard is a strong “belt and suspenders” approach to demonstrating compliance and avoiding the need to report any confidentiality breaches that may occur, but is not strictly required by HIPAA for non-federal entities.
It is important to note, however, that a number of Skype alternatives do meet the FIPS 140 standard (specifically, they meet “Level 2” of FIPS 140.) Thus a number of experts argues that it could be difficult to justify using Skype when FIPS 140-certified alternatives are easily acquired. You can find an extensive comprehensive list of options with side-by-side comparisons at http://www.telementalhealthcomparisons.com.
That said, consider that Skype has implemented a variety of physical, technical and administrative safeguards, including encryption techniques, which protect or can protect the confidentiality and security of the Protected Health Information (PHI) that may be transmitted using Skype’s Skype-to-Skype calling and video calling products (note that when using Skype to call normal telephones, these protections are lost). A minimal level of encryption, often spoken of by knowledgeable professionals, is 128-bit encryption. Skype’s 256-bit encryption meets this recommendation. It must be noted that HIPAA intentionally placed vague requirements on encryption, as it is committed to be technologically neutral. Jason Zack, in his column Does HIPAA Require that Communication with Clients/Patients be Encrypted? states that HIPAA does not necessarily require encryption, but practitioners should take reasonable efforts to guard against unauthorized access to electronic PHI. Obviously, encryption is one of the most used ways to safeguard against unauthorized access into confidential digital records. As of 2014, in fact, strong encryption is so widely available that it is very difficult to justify doing therapy across the Internet without it. Additionally, HIPAA doesn’t certify software as being HIPAA compliant or not. Instead, various companies claim HIPAA compliance for clarity in their marketing materials.
Several experts have noted that Skype is certainly more secure than a standard phone call. Although privacy advocates frequently denounce Skype for allowing law enforcement officials to monitor calls, Skype’s particular services and functions, specifically the ability to call standard telephones from Skype, make it a legal requirement that they enable this police eavesdropping. Additionally, HIPAA does not make us liable for confidentiality breaches that are legally mandated. There are no signs at this time that Skype routinely monitors calls for purposes other than compliance with requests from law enforcement.
Note: As will be discussed below, some experts have noted that while Skype does use strong encryption, using it for telemental health would still not be HIPAA compliant due two additional factors: 1. Skype does not state on its website that it is HIPAA compliant, and 2. Skype does not offer Business Associate contracts to therapists or clinics, which use it for TeleMental Health purposes.
Business Associate: The second consideration that practitioners must take into account is the issue of the Business Associate rule. By law, the HIPAA Privacy and Security Rules apply only to covered entities, such as health plans and mental health care providers. However, many health care providers and health plans do not carry out all of their health care activities and functions by themselves. They often use the services of a variety of other persons or businesses. HIPAA allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity and will safeguard the information from misuse and unauthorized disclosure. Covered entities may disclose protected health information to such entities, in their roles as business associates, only to help the covered entity carry out its health care functions. HIPAA mandates that practitioners must engage in a HIPAA Business Associate Agreement with such entities or 3rd parties, to maintain HIPAA compliance.
Commercial companies, such as Breakthrough.com, position themselves clearly as different than Skype and other free video conferencing companies. They state on their website, “Breakthrough.com will sign a Business Associate Agreement with mental health professionals, a best practice for complying with HIPAA.” Note that when using a service like Breakthrough.com, Business Associate Agreements are in fact a HIPAA requirement and not simply a best practice.
HITECH Act of 2011: On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). This new provision expands the duties of business associates, which may require amendments to business associate agreements. Business Associates and Covered Entities alike now have direct responsibility and liability for breaches of ‘unsecured’ protected health information; the maximum penalty for non-compliance increases to $1.5 million/year; Business Associates that violate HIPAA Privacy & Security can now face criminal and civil penalties. Individuals can be prosecuted; Business Associates must comply with HIPAA Security in the same manner as a Covered Entity; the HHS Secretary is required to do periodic audits of Covered Entities and Business Associates to ensure compliance. The HITECH Act of 2011 added more ways to enforce HIPPA and added more regulations and penalties. These new regulations have added importance to the Business Associate contract. Several experts cited the HITECH Act to raise the concern that Skype has problems because it doesn’t provide a function for seeing if any 3rd parties have attempted to access your Skype account or Skype calls without your permission or knowledge. The access logs you would use to do this are sometimes called “audit trails.” Audit trails log information to keep records about a video call, i.e., what and when. Breach notification relates to when data was accessed by unauthorized people or even attempts to gain access to the video call. Outfits are supposed to notify the government when a breach occurs, and Skype doesn’t have a mechanism to help you determine when this happens. The question that is brought up in response to these concerns is what is the difference between using Skype for therapy and conducting a phone session with a client, knowing that neither Verizon nor AT&T have the mechanism to provide audit trails for determining if a breach occurred. Another question regarding breaches of Skype contact information or call information is that how does one know whether a certain (non-recorded) audio or video call (not-chat) was between a therapist and a client or between a therapist and his or her friend, colleague or lover?
In regard to the application of the Final Rule or Omnibus Rule that was released in Jan. 2013, it seems (i.e., there is some ambiguity and experts are still debating this issue) to be “stated that both access and encryption are vital to someone applying the conduit exception” (HIPAA Final Rule and the Conduit Exception, 20 Feb, 2013, Rob Reinhardt). The Final Rule seems to state that in order to be exempt from serving as a BA, the software must only be transmitting the data (as Skype does) and must have no access to that information. The conduit rule is a rule that excepts a company from being a HIPAA Business Associate only if it:
1) Only transmits the encrypted PHI and
2) Never has access to the encryption key.
According to some experts the fact that Skype can give information to law enforcement (as it has been known to do) means they have access to the encryption key, which means they must serve as a BA. However, Skype neither provides a BA Agreement nor claims to be HIPAA Compliant.
An argument against the mandate to have Skype serve as a BA is the Conduit Exception statement that “As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.” The question is whether Skype, in giving law enforcement access to data, falls under “other law” or not. If so, they ostensibly could qualify for the conduit exception even though they have access to the encryption keys for each call.
To sum up: in order to give access to law enforcement, Skype must possess the encryption keys for our calls, which by itself would make Skype a Business Associate according to the criteria reported by Rob Reinhardt. However, the actual text of the Conduit Rule could imply that Skype accessing the call for compliance with law enforcement requests may not disqualify the service from gaining the conduit exception. These two sets of criteria are somewhat contradictory and difficult to interpret. The criteria reported by Mr. Reinhardt, however, were given to him directly by a representative from the Office of Civil Rights (OCR), which implies that those criteria are the ones that the OCR would use if deciding on Skype’s status as a Business Associate or not. In other words, at the time of writing, the scales lean towards the assumption that Skype is a Business Associate and thus would not be usable by HIPAA covered entities until such time as Skype decides to start entering into Business Associate agreements with their health care customers.
Security Issues with Skype & Other Video-conferencing Technologies
Many forms of IAVT (Interactive Audio-Visual Technology) are readily available as commercial products that provide users the opportunity to communicate on their computers (or other similar devices such as smart phones). It is important that clinicians ensure that any IAVT program they use is HIPAA compliant. You can find an extensive comprehensive list of options, with side-by-side comparisons, at http://www.telementalhealthcomparisons.com.
- Free Online Therapy Software Compared: Usefulness, Ease, Security, Support, & HIPAA (2016) by Roy Huggins
- How to Get Started With a “Skype Therapy” Practice by Roy Huggins
- How Skype Became Software Non-Grata, and Other Tech Will, Too by Roy Huggins
- Is Skype HIPAA compliant? No, it’s not (2015)
- APA (2014): Does the use of Skype raise HIPAA compliance issues?