Practitioner Pointer: Does the use of Skype raise HIPAA compliance issues?

This new feature from the APA Practice Organization provides answers from APA Practice staff to common inquiries from members.

Given the growing use of technology for communication, many practitioners are interested in knowing whether popular options are compatible with Health Insurance Portability and Accountability Act (HIPAA) requirements. Skype, whose basic features are free and easy to use, is one such option of interest to practicing psychologists.

HIPAA does not specify the kinds of technologies that covered entities should use for creating, receiving, storing or transmitting electronic patient health information (ePHI). Under the HIPAA Security Rule, covered entities must conduct individual risk assessments about the technologies (hardware, software, etc.) they use that store or transmit ePHI. 

Skype does use encryption, a factor related to HIPAA Security Rule compliance. Even so, that factor alone does not accommodate HIPAA requirements.  

The use of Skype raises several concerns related to HIPAA.

First, liability for failure to comply with HIPAA is now shared equally by covered entities and business associates — third parties that provide services to covered entities and may have access to PHI. So it is critical for practitioners to have business associate agreements in place. 

Yet Skype does not offer business associate agreements for health care professionals who want to use it for telehealth purposes. In fact, Microsoft, which owns Skype, did not mention Skype in its April 2013 press release announcing its updated business associate agreement for its cloud services.

Further, Security Rule compliance requires that covered entities use technologies that include: 

  • Audit controls, which are mechanisms for monitoring who is accessing ePHI.. 
  • Breach notification tools, which are means of alerting users when there is an unauthorized disclosure of or access to ePHI.

Skype does not appear to offer any audit control or breach notification tools to alert you if there has been an unauthorized disclosure of ePHI.

Some organizations recommend not using Skype and similar Web-based platforms because of concerns related to HIPAA requirements. The bottom line: If you opt to use Skype to communicate with patients, be aware of the risk that HIPAA rules may be violated. 

Additional resources on HIPAA compliance issues related to using Skype:

Note: The information in this article does not constitute legal advice and should not be used as a substitute for obtaining appropriate professional consultation prior to making decisions regarding individual circumstances.

Practitioner Pointer provides answers to common inquiries from practicing psychologists.