Skip to content

Is Skype HIPAA-compliant?

I was talking with  a friend a few days ago about telepsychiatry, and she asked a good question. “Is Skype HIPAA-compliant?”

For those fortunate individuals who don’t know what HIPAA is,  HIPAA is a law passed in 1996 governing, among several other things, privacy of medical records. This law is responsible for the unintelligible two to three page form that you have to fill out anytime you go to a doctor, dentist or pharmacy these days.

HIPAA says that protected health information (PHI) must be encrypted if it is sent over the Internet. Skype says that they use AES encryption, which is approved by the NSA for encryption of top secret information, so that would seem to be defensible as having encrypted PHI for HIPAA purposes.

Over at Voyager Telepsychiatry, there is a post in which the author describes having sent emails inquiring about whether Skype was HIPAA-compliant to the Office of eHealth Standards and Services at the CMS Headquarters in Baltimore, Maryland and received a reply:

CMS does not advise on technology specific issues, because the HIPAA [Privacy] Rule specifically allows for flexibility in the approach to safeguarding information…

The author of the post then goes on to say:

Who can argue that use of Skype’s 264-bit encryption technique [sic] does not meet HIPAA’s intentionally vague requirement that covered entities safeguard the transmission of private health information?

I looked at the linked document that referred to Skype’s 264-bit encryption technique and I think the post author mistook 256 somewhere for 264 when reading it. Actually, as the article points out, there are really two kinds of encryption going on with Skype. First, Skype uses 1024-bit public-key key exchange protocol to establish keys for a 256-bit AES encrypted channel between the two people using Skype.

Without getting involved in the subtleties of key exchange, whether weak keys exist, and a lot of high level cryptography that I don’t really know anything about, I think that the main issue here is whether AES would meet a  legal challenge. I think it would. My argument would be that Skype is clearly harder to hack into than into my telephone line and that anyone willing to go to that much trouble to get to someone’s PHI would be better served by much cheaper technology like hidden recording devices, electromagnetic emission keystroke loggers or just hiring someone to break into my office when I wasn’t there. I would bet a lot of money that it would be easier for someone to get confidential psychiatric records out of any hospital in Baltimore than it would be to hack my Skype conversation while it was going on as long as my Skype password was secure.

Another post at Telehealth.net brings up just this issue. Nothing on Skype or any other encrypted system I know of is secure if you use crappy passwords that someone can guess like:

  • 1234
  • your name
  • your name plus your birthdate
  • dragon
  • 696969
  • letmein
  • qwerty

and the like.  Maybe I’ll write a post in the future on generating passwords for Skype, but I’m happy to tell anyone who wants to know how I generate the passwords I use for anything that’s important to me.  I use Diceware with 20 words. If you’re a hacker, good luck! I hope that you have a fast computer.

Be Sociable, Share!

{ 36 } Comments

  1. Mark Goldenson | October 30, 2009 at 8:16 pm | Permalink

    Patrick, good post. I think Skype is generally regarded as HIPAA-compliant, though Peter Yellowlees at UC Davis told me they did a technical review of Skype and decided it was not secure enough. I have asked for the reasons why but not heard back. UC Davis is a leader in telemedicine so it is notable that they passed. However, other institutions have found it is sufficient.

  2. patrickbarta | November 2, 2009 at 11:49 am | Permalink

    mark,

    Thanks for the comment. If you ever find out why they thought Skype wasn’t secure enough, I would really like to know.

  3. Doug Ikelheimer, MD | November 6, 2009 at 7:04 pm | Permalink

    Don’t forget that there is a whole industry set up to market very expensive equipment for telepsychiatry (think Polycom here) and the industry is extremely threatened by the emergence of a free, HIPAA-compliant VTC system…

  4. patrickbarta | November 9, 2009 at 11:31 am | Permalink

    doug,
    Don’t know about Polycom, but I’m writing the draft for a post on webcams right now.

    I’ve got a Logitech Webcam Pro 9000 at home and a Logitech 2 MP Portable Webcam C905 / QuickCam Pro for Notebooks on my laptop, $76.99 and $74.95 respectively.

    Any ideas on what Polycom charges?

    These are pretty high end webcams. Someone on a budget could probably get one for $30-$35 on sale somewhere.

  5. hahExakyalelt | November 15, 2009 at 12:54 am | Permalink

    Hey there everyone i was just introduceing myself here im a first time visitor who hopes to become a daily reader!

  6. Innonienabs | November 15, 2009 at 11:27 pm | Permalink

    Hey everyone just wanna say hello and introduce myself!

  7. Marlene Maheu, Ph.D. | March 25, 2010 at 8:54 pm | Permalink

    Patrick,

    Thanks for linking to my blog above.

    Bad news: I’ve recently been informed by several IT experts of several deal-breaker Skype and other VoIP-based security vulnerabilities.

    They are worrisome, so I’ve blogged more extensviely about them at http:telehealth.net.

    In essence, I’ve been informed that while some are better than others, any VoIP-based, public Internet platforms are vulnerable to eavesdropping, transmitting viri to our own or our patient computers, identity hijacking and thus, impersonation.

    Multiply these issues by the power of worldwide dissemination of hacked information via internet, and the situation can suddenly be far worse than a thief breaking into our offices and stealing our files.

    The online videoconferencing world is far more complicated than even I imagined 6 months ago. If you get any other info about this, please let me know: drm@telehealth.net

    Best,
    Marlene

  8. Douglas Ikelheimer, MD, MA | March 25, 2010 at 9:30 pm | Permalink

    I continue to be unimpressed by the security concerns of live videoconference data transmitted via Skype. An extremely high level of technical sophistication (as well as felony level criminal intent) is required to hack into the encrypted data and I’m just not convinced the motive is there to learn a patient’s dose of Zoloft. Spy equipment able to evesdrop on voice communication from a distance of 100 yards is readily available to anyone but somehow we don’t worry about that. So the high profile patient with sensitive personal information may not be intertested in Skype telepsychiatry! But the average home maker is more than happy to take the risk of being ‘hacked’ if it means they can do a med check while their infant child takes a nap in the next room.

  9. Jan Price | May 11, 2010 at 11:17 am | Permalink

    Unless my history is incorrect, President Clinton was not in office in 1966… you might want to verify the date HIPAA was passed. I believe it was 1996.

    Your article states, “HIPAA is a law passed in 1966…”

  10. patrickbarta | May 12, 2010 at 1:41 pm | Permalink

    You’re absolutely correct. I typed 1966 when I meant to type 1996. Thanks for pointing this out.

  11. Marlene Maheu, Ph.D. | May 12, 2010 at 2:11 pm | Permalink

    Realistically, don’t you think that if any company were HIPAA complaint, they would be plastering the net and our professional journals with related ads?

    Seems to me that to be the first to market with such HIPAA compliance via the Internet would draw a tremendous amount of healthcare $$$.

    If you look at respected telemedicine product developers, such as Polycom and Tanberg, both have what they consider low-end video products, and they make a very big deal about that compliance.

    In fact, they will not be hesitant to give you the alphabet soup of HIPAA codes with which they consider themselves to be complaint.

    So if Skype or any other VoIP system is HIPAA complaint, why can’t I find a statement on their website clearly stating so? Or have I missed it?

    My position is that we need to be careful about overstepping the limits of technology in our enthusiasm to use it. We are professionals, and consumer protection is our #1 mandate, no?

    Besides, there’s no need to run into this fray now. I for one have been waiting 15 years to see us even begin having such open discussions. Why not wait another little bit and do it right? Several large companies are coming online with HIPAA complaint video technologies. Keep your shirts on ;-)

    Meanwhile, we have plenty to keep us frontrunners busy. Professional education covering licensure and a host of other regulatory issues such as duty to warn/report, patient as well as professional authentication, adherence to research protocols, emergency backup etc. need to be addressed before licensed pros can reasonably work online.

    See http://telehealth.net or http://centerforonlinecounseling.com more info.

    Marlene
    619-255-2788

  12. patrickbarta | May 12, 2010 at 3:44 pm | Permalink

    Dr. Maheu,

    Thanks for the comment. I’m not sure I agree with you, but I don’t think anyone really knows the answers to the questions right now. I would take exception to how much of a priority it would be for Skype to get all involved with HIPAA compliance and the like. HIPAA is a big deal in healthcare, but healthcare isn’t a very big part of Skype’s business right now.

    I tend to be suspicious of any proprietary solutions for anything that can be done more openly.

    I wonder how Skype or anyone else could claim HIPAA compliance. Do you know of any known procedure where the government approves these things? As far as I can tell, most companies who claim HIPAA compliance mainly assert it.

    More to come for both of us, I assume.

  13. Doug Ikelheimer, MD | May 12, 2010 at 7:04 pm | Permalink

    I agree that many in this industry have something to protect when Skype is considered as a free and HIPAA-compliant platform for telepsychiatry.

    Two additional points must be recalled when discussing this topic:

    (1) The HIPAA Privacy Rule specifically allows for flexibility in the safeguarding of electronically transmitted information and is intentionally vague. Therefore, what constitutes “HIPAA-compliance” is up for debate. No security measure can ever be considered ‘absolutely’ secure but the 256-bit encryption technique employed by Skype eliminates the possibility of evesdropping for all but the most technologically sophisticated and criminally motivated of individuals. It is much easier to evesdrop on an outpatient appointment by standing outside the door and listening carefully.

    (2) Most patients interested in receiving mental health treatment via Skype are not concerned about the obscure security risk and are more than happy to sign a document outlining informed consent for this treatment – given the enormous convenience it affords – thus rendering the issue all but moot.

  14. Marlene Maheu, Ph.D. | May 12, 2010 at 8:29 pm | Permalink

    All I can suggest is that you read the literature, take the time to talk to the people who not only make the technology we’re using, but those who been using it for the last 40 years in successful telemedicine settings.

    As I said above, Polycom and Tanberg have no problem listing the specific requirements they meet. Neither do a number of other telecommunication technology companies. Call them and ask. You’ll see what I mean.

    Then please, take the time speak to knowledgeable telehealth malpractice attorneys. I’ve had a number of them come present at conferences with me since 1995. They all say the same thing. Practitioner beware: case law will be forged — on your backs.

    For a directly relevant example, look at what’s happened with the prescription-writing pharmacies and physicians who prescribed medication online without ever seeing the patient. They went against the standard of care, several people have died or suffered irreparable harm. Now these companies are being shut down, with hefty fines.

    I’ve been at this a long time, and am more eager than any one to set up online practice with my colleagues. It is inevitable, but there is a world of litigation waiting to happen online.

    I am not a techie but I have spent the last 15 years talking to these people – and many more and telemedicine, telehealth and e-health.

    What have I done and why am I going on about this? I’ve consulted with managed care companies, universities, startup companies, technology companies, group practices, as well as solo practitioners. I’ve written grants, books, book chapters. I’ve presented or helped organize over 150 presentations on telemental health. Google my name.

    Go here and look at the list of peer reviewed, research studies that I have amassed in my own research. That list grows every day: .
    If you are serious about wanting the latest possible information, go to ATA annual convention this next weekend in San Antonio.

    I’ll be speaking to that ATA group on Tuesday afternoon during the convention, where I am both moderating (and presenting) a panel designed to specifically address legal and ethical issues. We also will be covering the best practice guidelines recently issued by the ATA’s telemental health special-interest group (SIG).

    ~~

    Those of us with licenses have each been given the privileges and responsibilities of protecting the consumer public. We each get to make our choices — and our licenses hang in the balance. an often forgotten fact is that the reputation and respectability of our chosen professions also hangs in the balance.

    Whatever you decide to do, I firmly believe we are all on the same team and trying to move some very traditional, very reluctant professions into the 21st century.

    As colleagues, I hope we focus on that shared goal, help each other however we can to move forward responsibly as we each strive to deliver the highest quality care to the consumer public.

    If you find any information to support or contradict anything I said or written, please let me know. if you find articles you think I might want to read, please drop me a line through any one of my websites.

    In addition to the blog and website mentioned above, you’ll find the positions I’ve taken fully explained in two primary academic/professional books:

    1. The Mental Health Professional & the New Technologies: A Handbook for Practice Today.
    http://budurl.com/37lw

    2. eHealth, Telehealth & Telemedicine: a guide to Startup and Success. http://budurl.com/fa47

    Sincerely,

    Marlene M. Maheu, Ph.D.

  15. Douglas Ikelheimer | May 18, 2010 at 12:38 am | Permalink

    Dr. Maheu –

    Your qualifications and experience in the field of telemental health are unquestioned. But how far has telemedicine really come in 40 years? Have you ever tried Skype? Doesn’t widespread availability of free VTC software represent the breakthrough for which we have all been waiting?

    You make reference to “prescription-writing pharmacies and physicians” who have been prosecuted for prescribing without ever seeing the patient. None of the physicians prosecuted were practicing anything resembling legitimate telemedicine – they were approving online forms and dispensing over the internet without performing a legitimate medical examination. Using free VTC software and the internet to perform a medical (psychiatric) evaluation and then prescribing through traditional means represents a system which meets standards of care – including the establishment of a bona fide physician-patient relationship – with the single exception being that physician and patient are physically separated.

    Innovation does not come without risk but I don’t want to allow the fear of case law to interfere with promotion of a revolutionary and efficacious treatment medium which is cheap, green, and secure. Widespread acceptance of this technology means access to mental health treatment for millions who would otherwise go without – not to mention the long-sought realization of the potential for telemedicine.

    You mention the ATA’s 2009 document “Evidence-Based Practice for Telemental Health” and in fact my 2008 Letter to the Editor in Psychiatric Services entitled “Treatment of Opioid Dependence via Home-Based Telepsychiatry” was referenced in the document as having “demonstrated positive results”. As you are aware, the ATA’s document is now considered the standard of care and having been referenced by that group offers an important piece of confirmation that I am on the right track.

    Caution is warranted – just not at the expense of innovation.

    Regards,

    Douglas Ikelheimer, MD, MA
    Voyager Telepsychiatry LLC
    http://www.telepsychiatry.com

  16. Chad Wilkinons | December 9, 2010 at 4:49 pm | Permalink

    Hello all,
    I am an It Director for a Healthcare facility and I am also our companies HIPAA security officer. I agree with everyone on this post on one common thread HIPAA is vague. The part of the discussion that so many here are missing is not can we but should we. Dr. Maheu has made the most logical argument I have heard yet from anyone. The technology is coming of age but we must let it come of age before we put anyone’s rights (yes I said right) at risk. The difference between the eavesdropper outside the door and the hardened criminal is proximity. The whole world is right outside your door folks. The good guys and the bad guys, this message may bump into a future felon on its way to this post but there is no security outside the door they are invisible and you don’t know when or what may have been compromised. Your clients, patients loved ones deserve your attention and respect for their right. I am sure when you hung your shingle you took some time to be sure you were in a good neighborhood there is no such place on the internet it’s just one big playground. Your clients trust you with their information; don’t water that down for the sake of convenience. Take this stuff seriously the fines are very serious, what would a 1 million dollar fine do to your company? Are you willing to risk that for the sake of convenience? Will Skype pay the fine for you if it is compromised? Technology is my job, I am excited about the possibilities but they are not yet proven. Wait for it.

  17. Douglas Ikelheimer | December 9, 2010 at 5:14 pm | Permalink

    Points well taken, and thanks for joining the thread. But wait for what? What about 256-bit encryption is not yet proven? If it is secure enough for the US Government, large banks, and large corporations to transmit sensitive information, why wouldn’t my patient trust it to communicate the benefits and side effects of a medicine they are taking? And like anything else in medicine, doesn’t it all come down to informed consent?

  18. Marlene M. Maheu | December 9, 2010 at 9:25 pm | Permalink

    Doug,

    I appreciate your desire to be innovative. I wish more people were of our ilk.

    With regard to the ATA document, and with all due respect to your reference to that set of guidelines, it clearly states in the opening pages that it doesn’t apply to the Internet.

    Rather, it is written for large institutional setting, such as hospitals and the VA, where a dozen pros interact with patients, where EMR are prevalent, where someone has taken vitals and the patient typically has had not only a primary care doc seeing them but also a large staff of admins, nurses and IT professional training them on how to use technology safely.

    It doesn’t apply to someone jumping on Skype in the name of “innovation” and delivering care to an unknown, unseen, undocumented patient in an unsupervised setting, (note the use of this key word phrase and its use in the most recent ATA journal articles about “safe” use of video), who may or may not be who they say they are, or live in the state or country they claim to inhabit.

    And yes, I do use Skype and have for years on an almost daily basis – but not with patients who rely on my professionalism to give them direction.

    ~~
    In the name of expediency, I will make only one more point about the reliability issue and Skype or Google Talk or OOVOO or any VoIP-based video system not YET professing to be HIPAA compliant:

    HIPAA stands for Health Information Portability and Accountability Act.

    Portability and accountability refer to the transfer of information, which includes reliability. See my 2005 text book for details about how this applies to mental health.

    I an not an attorney, but from what I’ve read, if you recommend an unreliable system to patients or clients, be it a party-telephone line carrying your fax or direct care, you are in effect, vulnerable to being found guilty of violating HIPAA.

    To address the inherent unreliability of even the most robust $100k per seat traditional telemedicine systems used for patient care and amply documented in the literature, an IT specialist needs to be on duty at all times during the patient contact.

    How many professionals using Skype with their patients comply with that standard of care (which is also a recommendation of the ATA video guidelines, BTW)?

    It behooves us all for more of us to read the literature, take CE courses and get supervision when working remotely.

    Yes, let’s adopt technology, but let’s not forget that we are professionals first and foremost.

  19. Doug Ikelheimer, MD | December 10, 2010 at 12:03 pm | Permalink

    How many private outpatient psychiatrists do you know that take vitals signs in their office? How many ask for state-issued identification? How many have anybody in the room other than the patient?

    In the model of Skype telepsychiatry that I advocate, I require that patients submit a copy of their state-issued ID, vitals are taken on camera with a standard auto-cuff as clinically indicated, and I often require that patients are followed by primary care. In this way, my model is often superior to the standard of care exhibited in routine outpatient psychiatry. Patients are certainly not unknown, unseen, or undocumented.

    I do not see the relevance of EMR; the method of documentation is irrelevant with regard to the mechanism by which the interview takes place.

    In the VA system and with most commercially available VTC systems, a large staff might be required due to the high complexity (and “inherent unreliability”) of the technology employed. Of course this tends to increase the cost, and thus inhibits the growth of telemedicine. Skype is not inherently unreliable; its enormously simple and reliable interface obviates the need for an on-site IT specialist. Standard of care changes with evolving technology.

    As with all aspects of medicine we manage risk, balance it with benefit, carefully inform our patients, and we allow the patients to choose their course of treatment; practicing with fear stifles innovation and denies patients new forms of therapy.

    Time will tell whether I am correct that Skype will revolutionize the delivery of mental health treatment and render obsolete traditional telemedicine platforms. But until then I will continue to advocate for this model because I believe it is safe, secure, reliable, effective, convenient, and cost-effective.

  20. Chad Wilkinson | December 10, 2010 at 7:01 pm | Permalink

    The debate about whether or not Skype is secure reminds me of a song from bible school when I was a kid.
    “The wise man built his house upon the rock”
    The debate is not solely about whether 256 bit encryption is secure enough. The entire system is “built upon the sand”. Your system is at the mercy or the computer you are using, the computer your client is using, the unreliable and unsecure internet connection you are using, and the unsafe password policies in place, none of these are HIPAA compliant. You cant look at SKYPE or any teleconferencing as one single piece it is a system with many moving parts, a chain if you will and any weak link will allow it to break. The less cost effective options (Pollycom, Tandberg ect.) are secure systems not just secure parts. You are only as secure as you weakest link and with Skype you have a lot of potential weak links that you have no control over.

  21. Ofer Zur, Ph.D. | February 3, 2011 at 1:07 pm | Permalink

    I appreciate the informative discussion whether Skype is HIPAA compliant or not and added it to my Telehealth Resources Page at http://www.zurinstitute.com/telehealthresources.html#skype
    More resources are welcome.

  22. Sande Olson | August 22, 2011 at 10:58 am | Permalink

    The debate regarding Skype will continue. The reality is Skype is being used today, and effectively. The question being asked by caregivers using Skype is “what is the probability of risk given the need?”. If health care waits for infallible IT security (no one can guarantee that), we will never take telemedicine mainstream. After 3 years of monitoring 1,000 patients seen each month by quality physicians in a much needed patient environment, I believe the need far outweighs the risk. And from outcomes, I sincerely believe that any of these patients would concur.

  23. Chad Wilkinson | August 22, 2011 at 11:21 am | Permalink

    The problem with that logic is that it is not your call. It is your responsibility to ensure confidentiality, and it is your Patients right. Read that aging it is their “RIGHT” so regardless of how insignificant the risk may seem you are making a decision on how to protect their Rights. Read the HIPPA confidentiality statement you ask your patients to sign some time, it is a commitment by you not to put their information at risk. It would be like me writing a prescription for something after I read about it on Web MD. I am not a Dr. and I don’t pretend to be. If you were and “IT DR.” we wouldn’t be having this conversation. You are prescribing “medicine” (IT) without a license and medicine that has not been “FDA” (HIPAA) approved. Just remember when you are looking at your “lab rats” (Patients) through your web cam. Maybe you can get a PRACS waiver or something for your test subjects. Skype was recently purchased by Microsoft and I’m sure It will be considered secure at some point but right now it is not. I do like the maid up word though Telepsychiatry is that on Wiki? It sounds neat!

  24. Doug Ikelheimer | August 22, 2011 at 11:30 pm | Permalink

    But it can be argued that use of Skype’s baseline sophisticated encryption techniques in fact does ensure confidentiality – perhaps more so what might be expected when a patient waits in a small waiting room and bumps into his neighbor.

    What percent of the population do you believe has the technical capacity to intercept and decode a Skype transmission? On the other hand, what percent has the capacity to eavesdrop on a private conversation – even without listening equipment from the local spy shop?

    HIPAA does not “approve” any given VTC equipment. It is up to the provider to decide whether a given platform complies with the intentionally vague Privacy Rule.

    And lab rats do not provide informed consent.

  25. Marlene Maheu | August 23, 2011 at 12:08 am | Permalink

    For HIPAA and Skype facts from technical and risk management experts, come to the FREE webinar Tuesday, August 23 at 11 AM Pacific. 2 PM Eastern time.

    See this page for details: http://telementalhealth.com/webinars

    Also available for 1 CE and recording downloads will be available after the FREE live event for a minor fee.

  26. Doug Ikelheimer | October 14, 2011 at 1:11 am | Permalink

    HIPAA does not even apply to practitioners who only accept cash payment and do not bill insurance. By definition, if you do not transmit any ‘covered transactions’ electronically then you are not a ‘covered entity’, where ‘covered transactions’ are defined loosely as requests for reimbursement from insurance programs. See

    https://www.cms.gov/hipaageninfo/downloads/CoveredEntityCharts.pdf

    This helps confirm my theory that Skype telepsychiatry will eventually explode among the population of cash-only private practitioners.

    I do not dispute the inherent need for security and privacy in the use of any VTC equipment for telepsychiatry. And I believe that Skype is HIPAA compliant. But for many, it won’t matter either way.

  27. Marlene Maheu | October 14, 2011 at 10:58 am | Permalink

    Unfortunately for those of us who seek to practice using technology, HIPAA is triggered by a single email to a patient or client, and not only if insurance reimbursement is involved as Doug has suggested.

  28. Doug Ikelheimer | October 14, 2011 at 11:36 am | Permalink

    The CMS document referenced above (in comment 26) clearly states that you are not a “covered entity” if you do not electronically send “covered transactions”. Data representing live VTC is not a “covered transaction” as defined in the above CMS document – not even close. If you are not a “covered entity” then HIPAA is irrelevant.

    If you believe I am incorrect, please provide the reference within the primary legislation.

  29. Sarah | November 3, 2011 at 3:45 pm | Permalink

    Hi. I have a couple of questions for anyone who might be able to answer. These are in the setting of a cash-only private practice psychiatry clinic:

    1. I’m hoping to use telemedicine to help some of my patients in between sessions. This mostly applies to my college students who don’t want to disrupt a semester at school, but who want to continue working with me. Do I need to have a license in each state in which my patients attend college, or does that not apply if their initial session (and majority of follow-up sessions) occur in my office?

    2. How might this differ from a legal/privacy protection standpoint from phone sessions?

    3. What are your thoughts on sites such as breakthrough.com, which claim to be HIPPA compliant?

    I appreciate any feedback on these questions.
    Thanks so much!

  30. Doug Ikelheimer, MD | November 3, 2011 at 5:29 pm | Permalink

    Hi Sarah –

    You will need to be licensed in the state where your patient resides and from where he/she will access you for most of the anticipated appointments.

    Telephone psychiatry does not allow for visual information about the patient’s mental status. Telepsychiatry (with live VTC) allows for documentation of a complete mental status examination and therefore it becomes possible to meet the standard of care for traditional outpatient psychiatry.

    My opinion is that the sophisticated data encryption protocols employed by Skype allow for a level and security and privacy which exceeds that of a telephone call and even exceeds that of traditional outpatient visits (since the patient’s neighbor won’t run into him/her in the waiting room or parking lot of your office.)

    Breakthrough may claim to be HIPAA-compliant but I doubt that their encryption protocols are more ‘secure’ than what Skype uses.

    In any case, if you accept only cash payments you would not be considered a HIPAA ‘covered entity’ and although you should always maximize privacy and security for your patients, you would not need to comply with HIPAA. (See Comment #26 above.)

    Hope that helps,

    Doug


    Douglas Ikelheimer, MD, MA
    Voyager Telepsychiatry LLC
    http://www.telepsychiatry.com

  31. Ofer Zur | November 3, 2011 at 7:07 pm | Permalink

    Good discussion about cross state line. As my short paper at http://www.zurinstitute.com/telehealth_across_state_lines-zur.html explains, it is not always clear how to handle certain situations and how residency is established.

  32. Anonymous | February 27, 2012 at 9:03 pm | Permalink

    I am a Board Certified practicing psychiatrist and have extensive experience in the area of telemedicine and telepsychiatry. I appreciate the thoughtful commentary in this blog.

    I appreciate the comments made by Marlene Maheu but I must say that I am a bit suspicious that a conflict of interest may be shaping much of her opinions and her position on the issue.
    I would encourage readers of this blog to listen to some of her ‘webinars’ posted on her website for the “Telemental Health Institute,” particularly the talk entitled “Seeking a HIPPA compliant alternative to Skype.” This talk is essentially a sales pitch for several Skype alternatives by appealing to your fears – the goal appears to be to scare you into purchasing one of the products being marketed by the webinar’s participants or buying more of Mahlene Maheu’s webinars.

    There is a lot of money to be made by offering an alternative to Skype, and the software industry is more than happy to support academics who are willing to support their cause.

    HIPPA laws do not specify any particular encryption technology – HIPPA simply requires that practitioners make reasonable efforts to protect client/patient information. But Skype is heavily encrypted. And it is free.

    There is no harm in purchasing a commercial product as an alternative but I question the ethics of promoting products (even subtly) by way of appealing to the fears of mental health professionals.

  33. Doug Ikelheimer, MD | March 4, 2012 at 5:02 pm | Permalink

    Well stated. The only ones left who argue against the use of Skype for telepsychiatry are either from (a) the videoconferencing hardware industry or (b) they somehow stand to benefit financially from HIPAA fear-mongering.

  34. Marlene Maheu, Ph.D. | March 27, 2012 at 2:51 am | Permalink

    Doug,

    Thank you for mentioning the free webinars we sponsor for our colleagues. Each of them is intended to inform our community of innovations, which are designed to showcase cutting-edge technology that can be useful to practitioners and researchers in mental health.

    The specific “alternatives” webinar you mention is one where I interview IT specialists from 3 different companies who have developed video platforms and services to address HIPAA issues. Being IT experts, they were invited to address the HIPAA-compliance issues far better than I can as a psychologist.

    If you want to hear more about SKYPE and alternatives that openly identify themselves as either HIPAA or FIPS compliant, you might consider attending the webinar I am offering for free tomorrow. It is an update on SKYPE. In it, I will mention 25+ companies who sell HIPAA-compliant video platforms.

    If HIPAA compliance technology weren’t necessary, how might this many companies be staying afloat in these tough economic times? Why aren’t leading government and hospital systems all using SKYPE instead of sustaining this many companies?

    If you really want to know my motive, let me assure you it isn’t so secret. Since 2011, we have formed an institute, known as the TeleMental Health Institute and are offering the information we’ve published in various forms as CE and soon, CME courses to train professionals in crucial telehealth competencies.

    Our business is professional education, and our webinars are a free sample of the training we offer to professionals who seek 100% online telehealth training. My work in particular is supported by many visible colleagues who have watched my telehealth work since 1994. Come see what they have to say about my integrity here: http://telehealth.org

    Anyone interested in training for themselves or their institutions is invited to have a look at our course catalog here : http://telehealth.org/catalog

    Anyone wanting to get our carefully amassed list of HIPAA-compliant SKYPE alternatives is invited to attend our free webinar by registering here: http://telehealth.org/webinars

    The webinar will be available after March 29, 2012 for $27, and will offer both the recording and 1 CE. The list is the most comprehensive I’ve seen anywhere to date. (Any readers of this post who have a VTC company that is HIPAA-compliant, please send me your info so we can consider for our next list. You can reach me here: http://support.telehealth.org/open.php )

    BTW, Doug, when I clicked on the document you offered above as proof that VTC is not a covered transaction, comment #26 is not in the document. Please re-post a link that contains the info you reference. It could be important for some of us to evaluate and understand.

    Thanks again for your comments. I appreciate any and all feedback, and all points of view. It is only by communicating that we will move more successfully into delivering 21st Century healthcare.

    Marlene

  35. Marlene Maheu, Ph.D. | March 28, 2012 at 11:09 am | Permalink

    If you want free access to yesterday’s webinar, you can see it here til midnight, 3/29/12:
    http://InstantTeleseminar.com/?eventid=27089148

    Handout is here, again until midnight, 3/29/12:
    http://telehealth.org/handouts

    Let me know what you think. Your feedback is always appreciated.

  36. Doug Ikelheimer, MD | May 1, 2012 at 9:00 pm | Permalink

    Dr Mayheu –

    First of all I think it speaks volumes that you first describe your “free” webinars, only later to mention the cost is actually $27 unless you “act now”.

    Secondly, I referenced my Comment #26 of this blog (not in the linked document) because it contains a link to a guide created by CMS – which VERY CLEARLY indicates that VTC is not a covered transaction because COVERED TRANSACTIONS ARE DEFINED BY CMS AS ELECTRONIC REQUESTS FOR INSURANCE REIMBURSMENT. Here is the link again

    https://www.cms.gov/hipaageninfo/downloads/CoveredEntityCharts.pdf

    According to CMS, f you don’t send covered transactions, then you are NOT a covered entity, and you are therefore not subject to HIPAA.

    Again, if you disagree, I challenge you to demonstrate from where, within the primary federal legislation, your opinion is derived.

    I find it somewhat frustrating that as a self-described educator on matters of HIPAA, you continue to spread false information which is not supported by the federal law itself, while simultaneously advertising your business on someone else’s blog.

    Doug

{ 5 } Trackbacks

  1. […] after I published my last post, I got a Google alert on another blog post “HIPAA & Hijacked SKYPE Passwords: Another […]

  2. […] couple of comments a month ago regarding Skype security and in response to my previous post “Is Skype HIPAA-compliant?“  Marlene Maheu at the TeleMental Health Institute’s Center for Online Counseling and […]

  3. […] Is Skype HIPAA-compliant? […]

  4. […] is a list of guidelines for assessing whether or not a client is suitable for online therapy. And here is a blog post and lots of comments about HIPAA issues and Skype, the follow up articles are […]

  5. […] are readily available for free, and are easy to set up and use.  Controversy exists over whether Skype and FaceTime are “HIPAA compliant,” although there is a strong argument that cellphone […]