Yesterday, the Syrian Electronic Army (SEA) hacked into Skype and Microsoft’s twitter account. The twitter feed read, “Don’t use Microsoft emails (hotmail,outlook), They are monitoring your accounts and selling the data to governments.” The same post also appeared on Microsoft’s twitter feed. Both were swiftly removed. In a statement today, Skype representatives said, “No user information was compromised.” What a sigh of relief, for Skype and their customer base!
We at SecureVideo want to reassure you that while internet security concerns heighten at times like these, we will always offer you peace of mind. We are a company built from the ground up to be HIPAA compliant. Our one-to-one connection gives you the utmost privacy in your videoconference connection. We do not route through, record, or store your sessions on any server. You and your practice are more secure with our videoconferencing solutions. Because of this, we are proud to offer a system you can trust.…Read More
If your practice is currently using a medical teleconferencing service (telemed), or if you are considering using one, you should know that the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the recently-finalized (March 2013) Rules promulgated thereunder, consider the provider of such service to be a “business associate.”
The final version of the HIPAA Rules require that covered entities (that would be you) enter into contracts with their business associates (that would be us) to ensure that the business associates will appropriately safeguard protected health information. This Business Associate Agreement also serves to specify the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract, or as required by law.
A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
If you’ll pardon my side trip into the legal weeds, a Business Associate Agreement must be written, and must:
(1) establish the permitted and required uses and disclosures of protected health information by the business associate;
(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
(4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
(6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;
(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;
(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.
Elsewhere on this site, my colleagues and I have noted that Skype® is owned by Microsoft, and that Microsoft has not been forthcoming regarding the use to which they might put any information gleaned from the popular VOIP service for which they paid $8.5 Billion two years ago. Microsoft does enter into Business Associate Agreements with users of its cloud services, but when it comes to Skype, the company has been evasive. In fact, Erik Kangas Ph.D., a blogger who follows this issue, says flatly:
Skype does not claim any kind of HIPAA compliance and will not sign a required Business Associate Agreement and does not provide the tools to use Skype in a way that allows you to meet your own HIPAA compliance requirements (e.g. auditing). – http://luxsci.com/blog
Stephen C. Taylor
Heise Security, a top German internet security firm, has done some research that will be somewhat frightening to Skype users, especially those who believe their Skype sessions retain any promise of privacy.
A recent H-online article detailed research showing that Microsoft servers are programmed to visit HTTPS (SSL) URLs typed into the Skype instant messaging application. When questioned about this, Microsoft’s response was not believable, from a technical or business standpoint.
“A spokesman for the company confirmed that it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.”
The most troubling aspect here to me, is that Microsoft requires users, in order to use Skype, to accept that their information may be accessed by Microsoft; but then, Microsoft will not disclose exactly how the information will be used.
This untrustworthy approach is one of the reasons we started SecureVideo.com. And I don’t think you want Microsoft in your therapy session any more than I do.…Read More
By Stephen C. Taylor, General Counsel
HIPAA – or as it is formally known, the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 – substantially codified the way health information for virtually all Americans must be handled. Sections 261-264 of the law require the Secretary of Health and Human Services (HHS) to promulgate standards for, among other things, the electronic exchange, privacy and security of health information by those subject to its provisions (what the law and regulations call “covered entities”).
Virtually every health care provider in America who electronically transmits health information is a covered entity.
Nothing in the law proscribes videoconferencing, which – as my colleagues elsewhere on this site have described – can, in many instances, be a vastly more efficient method of conferring with a patient in a remote location, or with another provider in a distant location. But such teleconferencing, which has acquired the popular sobriquet of telehealth, is nevertheless subject to the requirements of HIPAA.
Some health care practitioners have considered using the popular VOIP (voice-over internet protocol) videoconferencing software known as Skype ®, which has grown swiftly in the last five years or so. One of the reasons for this spectacular growth could very well have been that its developers in Luxembourg had taken steps to make the service one of the most locked-down and encrypted services available for such communication.
But, as reported by Eric Jackson in Forbes last July, when Microsoft (MS) acquired Skype in May of 2011 for $8.5 billion, observers wondered how MS could justify paying so much for a service that most users pay nothing to use and lets them communicate for free with other users. MS responded by saying that they simply wanted to own the world leader in VOIP.
Well and good. But in June of 2011, MS was granted a patent for “legal intercept” technology designed to be used with VOIP services (like Skype) which would allow “silent copying of communication transmitted via the communication system.”
Perhaps this is pure coincidence. But the point is that, if Microsoft has changed the architecture of Skype – which they have neither confirmed nor denied, but which anecdotal evidence suggests has occurred – the use of Skype to transmit medical and health information could expose the practitioner who unwittingly does so to significant civil and criminal liability under HIPAA.
Civil penalties begin at $100 per individual instance of violation, and are capped at $25,000 per calendar year for multiple violations of the same type. Criminal penalties are tiered, depending upon the willfulness of the violation and the use to which the information is put, but the lowest tier carries a fine of $50,000 and imprisonment of up to one year.
SecureVideo.com offers a securely-encrypted environment for telehealth videoconferencing which is completely HIPAA-compliant. You can investigate further at http://securevideo.com. But don’t take my word for it. Practitioners are urged to consult your own attorney. But for heavens sake, do it before you decide to use Skype for telemedical conferencing. You could be taking a big risk.…Read More