Can You Skype and Be HIPAA Compliant? HIPAA & HITECH Act Blog by Jonathan P. Tomes


Well, you certainly can if you don’t disclose any PHI when communicating by Skype. But if you want to use Skype as a form of telemedicine, the answer is far more complicated. Skype allows users to communicate with peers by voice using a microphone, video by using a webcam, and instant messaging over the internet. Phone calls may be placed to recipients on the traditional telephone networks. Calls to other users within the Skype service are free of charge, while calls to landline phones and mobile phones are charged via a debit-based user account system. Skype has also become popular for its additional features, including file transfer and videoconferencing. Competitors include SIP and H.323-based services, such as Linphone and Google Hangouts.

Although Skype and similar technologies have benefits, such as familiarity, positive experience, easy and simple access, and the fact that it is free, such devices certainly have risks and compliance issues, including confidentiality and privacy, HIPAA compliance, dropped calls, and other potential interruption of communication.

Of course, there are other issues with any form of telemedicine, not just with Skype and its competitors, such as whether sessions transmitted across state lines constitute the unauthorized practice of medicine. See my Telemedicine Security Policy on the HIPAA Documents Resource Center CD, 6th ed., and/or my new HIPAA Compliance Sample Policies and Procedures CD.

In order to evaluate whether Skype is HIPAA compliant or not, one must look at these issues: encryption, business associate status, dropped calls and other technical difficulties, and prohibitions other than HIPAA against using Skype in telemedicine.

Encryption: When it comes to HIPAA compliance, Skype uses AES encryption, which is one of the federal government’s Federal Information Processing Standards (“FIPS”). A different FIPS standard, FIPS 140, consists of guidelines defining how encryption software should function. AES is part of the FIPS 140 standard. Thus, by using AES-style encryption, Skype meets an important part of the federal government’s standard for encryption, but not every aspect of it. Because federal agencies are required to meet all of these standards in their operations, a federal agency would not be permitted to use Skype for telemedicine. Adhering to the whole FIPS 140 standard, however, is not a requirement for HIPAA compliance. Those covered entities and business associates who do not work for the federal government are required simply to use “technical security measures” that reduce risks of confidentiality breaches to “reasonable and appropriate” levels under 45 C.F.R. § 164.306. Adhering to the FIPS 140 standard would appear to be compliant. Note, however, that a number of Skype alternatives, such as VSee, do meet the FIPS 140 standard (specifically, they meet “Level 2” of FIPS 140.) Thus, using Skype when FIPS 140-ceritifed alternatives are available may be hard to justify.

Skype has, however, implemented a variety of safeguards, including encryption techniques, which protect the confidentiality and security of protected health information (“PHI”) that may be transmitted using Skype’s Skype-to-Skype calling and video calling products unless the transmission is by normal telephones. A minimal level of encryption is 128-bit encryption. Skype’s 256-bit encryption provides more protection. HIPAA does not specify any particular level of protection other than the HITECH Act’s “safe harbor” to avoid reporting to the Department of Health and Human Services (“DHHS”) and to the victims of a breach for lost devices that contain PHI that are encrypted consistent with the National Institute for Standards and Technology (“NIST”) encryption standard. Currently, strong encryption is so widely available that it is very difficult to justify doing telemedicine without it.

Business Associate Agreements? Although the technical security that Skype provides appears to make it HIPAA compliant, Skype will not, at least currently, enter into business associate agreements. Other companies, such as, position themselves clearly as different from Skype and other free video conferencing companies. According to its website, “ will sign a Business Associate Agreement (“BAA”) with mental health professionals, a best practice for complying with HIPAA.” When using a service like, business associate agreements are required by HIPAA and not simply a best practice. HIPAA is not a “best practices” statute and regulations, but rather it is a “reasonable and appropriate” statute and regulations.

VSee is a videoconferencing software company that represents the other approach to the business associate issue. According to its website, “VSee never has access to any information, health or otherwise, that you may observe, transmit, or receive by using VSee, and therefore should not be considered a Business Associate under HIPAA rules.” Because the VSee company has no contact with the calls that you make using the VSee software and therefore could not access the PHI being sent across the internet, the business associate rule would simply not apply, and no business associate agreement would be necessary for HIPAA compliance. This situation appears to constitute the “mere conduit exception” to the business associate rule. Under the HITECH Act and the DHHS regulations implementing the Act, a mere conduit is not a business associate. If the organization cannot view the PHI, but rather is merely a conduit for its maintenance or transmission, it is not a business associate. The Final Rule implementing the HITECH Act indicates that, in order to be exempt from serving as a business associate, the software must only be transmitting the data (as Skype does) and must have no access to that information. This mere conduit rule exempts a company from being a HIPAA business associate only if it (1) only transmits the encrypted PHI and (2) never has access to the encryption key. The fact that Skype can give information to law enforcement (as it has been known to do), means that Skype has access to the encryption key, which means it must serve as a business associate. Skype, however, neither provides a business associate agreement nor claims to be HIPAA compliant.

An argument against the mandate to have Skype serve as a business associate is the conduit exception statement that, “[a]s we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.” The question is whether Skype, in giving law enforcement access to data, falls under “other law” or not. If so, they ostensibly could qualify for the conduit exception even though they have access to the encryption keys for each call.

Although this issue is unsettled, my view is that most likely DHHS would consider that Skype is a business associate and thus would not be usable by HIPAA covered entities until such time as Skype decides to start entering into business associate agreements with its health care customers.

See Skype’s security settings information.

Further, Skype’s terms state: “In order to provide you with Skype products you have requested, Skype may sometimes, if necessary, share your personal and traffic data with Skype’s group companies, carriers, partner service providers and/or agents, for example the PSTN-VoIP gateway provider, wi-fi access services providers, distributors of Skype software and/or Skype products, and/or the third party banking organizations or other providers of payment, email delivery, analytical services, customer support, or hosting services. Skype will always require these third parties to take appropriate organizational and technical measures to protect your personal data and traffic data and to observe the relevant legislation.” See Skype’s privacy policy and an interesting article on Skype on LinkedIn. This statement would further support the need for a business associate agreement. And the Omnibus Rule would require Skype, as an “upstream” business associate to have business associate agreements with its downstream business associates (subcontractors) that process PHI.

Skype, however, does not believe that it is a business associate. It says that it is merely a conduit for transporting information, much like the electronic equivalent of the U.S. Postal Service or a private courier. Skype does not use or access the PHI transmitted using its software. Skype has, however, implemented a variety of physical, technical, and administrative safeguards (including encryption techniques) aimed at protecting the confidentiality and security of the PHI that may be transmitted using Skype’s calling and video calling products. Considering the above discussion, one should not rely on this representation.

Dropped Calls and Other Technical Problems. Another concern is with dropped calls or when video freezes. This issue has to do with the quality and speed of the internet connection, as well as with the inner workings of the software involved. The concern is that, for patients or clients who are in crisis or in the midst of a panic attack, dropped calls can be very disruptive. Clinicians must take into consideration that such calls may be dropped and evaluate how it may affect their clients. They should assess whether these technologies suit certain clients with certain physical or mental disorders or conditions. Some of the advantages of commercial businesses that use different audio conferencing technologies are that they may be more reliable and also have technical support to help if video conferencing connections cannot be maintained. A number of practitioners believe that 24/7 tech support is a must for this type of communication software because the practitioner cannot always help patients/clients with technical troubles, especially when it is a group therapy session.

Prohibitions Other Than HIPAA against Using Skype in Telemedicine. Finally, licensure and other authorities may prohibit the use of Skype for any form of telemedicine. In Oklahoma, for example, using Skype is prohibited for telemedicine. The Oklahoma Board of Medical Licensure and Supervision Board, when disciplining a physician for using Skype, stated unequivocally that “Skype is not an approved method of providing Telemedicine.” The board noted that the OHCA Telemedicine Rule (“Rule”) requires that a “telemedicine encounter must comply with the Health Insurance Portability and Accountability Act (‘HIPAA’).” Additionally, the Rule requires that the “medical or behavioral health related service must be provided by a distant site provider that is located at an approved HIPAA compliant site, or site in compliance with HIPAA Security Standards. A telemedicine approved site is one that has the proper security measures in place, the appropriate administrative, physical and technical safeguards should be in place that ensure the confidentiality, integrity, and security of electronic protected health information.” OHCA further specifies that “[a]ll communications must be on a secured Virtual Private Network (VPN) that complies with HIPAA Encryption and Redundancy requirements.”

Conclusion. In conclusion, although the use of Skype offers benefits to health care providers, covered entities should consider readily available (for a fee) commercial video-conferencing systems that provide higher security and reliability than Skype’s technical support and that do sign a HIPAA business associate agreement. VSee is one exception that can be used for no fee. If, as other services, particularly cloud-based hosting services, have done, Skype changes it policy and will enter into business associate agreement, it would appear that using it could be HIPAA compliant. In the meantime, we recommend caution, a thorough risk analysis, a thorough analysis of the HIPAA compliance issues, and a review of what state laws, licensure requirements, and other rules, such as accreditation requirements, prohibit or restrict the use of Skype or other services.

seo by: k.c. seo