By Stephen C. Taylor, General Counsel
HIPAA – or as it is formally known, the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 – substantially codified the way health information for virtually all Americans must be handled. Sections 261-264 of the law require the Secretary of Health and Human Services (HHS) to promulgate standards for, among other things, the electronic exchange, privacy and security of health information by those subject to its provisions (what the law and regulations call “covered entities”).
Virtually every health care provider in America who electronically transmits health information is a covered entity.
Nothing in the law proscribes videoconferencing, which – as my colleagues elsewhere on this site have described – can, in many instances, be a vastly more efficient method of conferring with a patient in a remote location, or with another provider in a distant location. But such teleconferencing, which has acquired the popular sobriquet of telehealth, is nevertheless subject to the requirements of HIPAA.
Some health care practitioners have considered using the popular VOIP (voice-over internet protocol) videoconferencing software known as Skype ®, which has grown swiftly in the last five years or so. One of the reasons for this spectacular growth could very well have been that its developers in Luxembourg had taken steps to make the service one of the most locked-down and encrypted services available for such communication.
But, as reported by Eric Jackson in Forbes last July, when Microsoft (MS) acquired Skype in May of 2011 for $8.5 billion, observers wondered how MS could justify paying so much for a service that most users pay nothing to use and lets them communicate for free with other users. MS responded by saying that they simply wanted to own the world leader in VOIP.
Well and good. But in June of 2011, MS was granted a patent for “legal intercept” technology designed to be used with VOIP services (like Skype) which would allow “silent copying of communication transmitted via the communication system.”
Perhaps this is pure coincidence. But the point is that, if Microsoft has changed the architecture of Skype – which they have neither confirmed nor denied, but which anecdotal evidence suggests has occurred – the use of Skype to transmit medical and health information could expose the practitioner who unwittingly does so to significant civil and criminal liability under HIPAA.
Civil penalties begin at $100 per individual instance of violation, and are capped at $25,000 per calendar year for multiple violations of the same type. Criminal penalties are tiered, depending upon the willfulness of the violation and the use to which the information is put, but the lowest tier carries a fine of $50,000 and imprisonment of up to one year.
www.securevideo.com offers a securely-encrypted environment for telehealth videoconferencing which is completely HIPAA-compliant. You can investigate further at https://sv2021.wpengine.com. But don’t take my word for it. Practitioners are urged to consult your own attorney. But for heavens sake, do it before you decide to use Skype for telemedical conferencing. You could be taking a big risk.
One thought on “So You Think Skype is HIPAA-Compliant?”
Nice article. Some thoughts I have on this…
Skype uses 256 bit AES, which is quite strong, however they 1) will not claim to be HIPAA compliant, 2) will not sign a Business Associate Agreement, 3) do not provide audit trails of usage, 4) can be wire-tapped as a result of the changes by Microsoft, and 5) do not offer technical support which I would argue is fundamental to HIPAA compliance, since without it you cannot address privacy concerns or confirm that the product is behaving as expected from a privacy standpoint.
So from a legal perspective, it seems that Skype’s encryption is sufficient, but that certainly does NOT make it HIPAA compliant. I would guess a Skype user would be subject to the civil penalties, but probably not the criminal ones.