Alarmist articles on Skype security risks for telehealth abound. The question is whether using Skype for telehealth really poses that serious of a security problem? Psychiatric Times weighed in on the issue with a well-cited article Telepsychiatry: The Perils of Using Skype, co-authored by the executive director of the TeleMental Health Institute, Marlene Maheu and University of Richmond health law professor, Joseph McMenamin.
A big reason for the concern is the federal Health Information Portability and Accoutability Act (HIPAA) which protects patients’ privacy. As of Mar. 26, 2013, HIPAA Final Rule sets fines of up to 1.5M per violation, which translates to a possible 1.5M for each patient. With the Final Rule in place, the Office for Civil Rights (OCR) has also become more aggressive in its audits and enforcement of HIPAA. So it’s understandable that telehealth practitioners want to tread carefully with the video chat technology they use.
The article points out that HIPAA laws are only meant to regulate “providers, insurers, and health care clearinghouses that bill any patient’s health insurance electronically (or use a billing service that submits claims electronically).” It is not designed to regulate Skype or other video chat software services and does not restrict their use. In fact, despite possible security issues some health practitioners do use Skype in their practice. However, here are some of the Skype security issues users should consider:
1. No business agreements and audit trails
When it comes to information security, HIPAA requires covered health entities to conduct their own risk assessments for their chosen technologies. They are also required to
- have contractual agreements with the vendors and subcontractors providing the technology and equipment used for storing or moving health information,
- use equipment that allows for audit trails so information leaks can be traced.
In these contracts or business associate agreements (BAA), vendors and subcontractors must promise to comply with HIPAA rules, making them directly liable for any HIPAA violations. The only exception is in the case of a conduit, which is explained below. In any case, Skype, does not promise HIPAA compliance, and no one expects Microsoft to sign any business associate agreements to shoulder that liability.
Second, even if Skype could claim exemption from HIPAA Privacy Rules under the conduit exception, the article notes that Skype and many other video chat services make it “impossible to conduct approved security audits via audit trails.”
2. May not satisfy HIPAA conduit exception
The one exception to who counts as a HIPAA business associate is any data transmission organization that acts as a conduit. The Final Rule states “The conduit exception…is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.” Skype may or may not fall under this. Drs. Maheu and McMenamin explain,”If Skype were strictly a conduit for information, it might not satisfy the definition of a business associate. Text-based messages exchanged by parties using Skype, however, are stored for at least 6 months, likely making Skype more than a ‘simple conduit.”
3. Common sense Skype security problems
The consumer design of Skype and other video chat apps may also present issues for health care use. Consider the problems of patient verification and address book management. Drs. Maheu and McMenamin add,”as soon as one opens his computer or smart device, Skype’s settings allow it to automatically issue a real-time notice to everyone in one’s contact list, announcing that the person is now online. Skype also has had a problem with recurring hacks, such as the breach reported on November 14, 2012
4. Overlapping federal and state legislation
It turns out that state laws regarding privacy and security can be more stringent than federal laws, in which case the state law overrules the federal HIPAA and HITECH laws. According to Drs. Maheu and McMenamin jurisdiction can be quite complicated possibly involving “3 sovereigns—the US federal government in Washington, D.C.; the practitioner’s state capitol; and, maybe the patient’s state capitol.” So even if Skype is allowed under federal law, it may not satisfy video conferencing security requirements under a state’s law. Thus physicians practicing across state lines, need to make sure they satisfy telemedicine requirements for each state in which they plan to practice.
Tell us if you think Skype is secure enough for telehealth?
- Why not use Skype, FaceTime, Google Video for telehealth?
- Don’t even think about Skype for health care
- HIPAA FAQ’s
- Skype community HIPAA discussion
Original photo: Tony Fischer Photography via Flickr