Skype is one of the most popular communication apps out there. It allows for easy video and audio calls as well as instant messaging between individuals and groups. That’s why many have wondered if Skype can also be used as a means of communication between healthcare professionals and their patients.
Virtual meetings and webinars are more popular now than ever. Healthcare organizations and medical practices have turned to telehealth or telemedicine to see patients remotely through virtual consultations. One of the most-used telemedicine modalities is live video calls, wherein a real-time interaction between a healthcare professional and patient happens in an interactive video communication channel.
One of the earliest and most-used video conferencing platforms is Skype. Many businesses use Skype to conduct virtual meetings or webinars because of its availability and manageable interface, not to mention it has a free version. But when it comes to telemedicine, there’s a huge barrier between healthcare providers and the use of Skype — the Health Insurance Portability and Accountability Act or HIPAA.
HIPAA requires covered entities to implement a system that complies with its rules and regulations for using, disclosing, and distributing electronic protected health information (ePHI). Does Skype meet the required HIPAA standards to be HIPAA compliant?
Exploration is needed to see how Skype fits into the HIPAA framework and whether medical staff and patients can use the platform without risking violating HIPAA rules.
As a medical practice, if you want to conduct virtual consultations with patients or other healthcare providers over Skype, you first need to understand how the law views Skype in terms of sharing ePHI.
If you’re using services from a third-party provider that involve access to a patient’s PHI, this provider is your business associate (BA), and you must sign a business associate agreement (BAA) with them. In this case, you need to sign a BAA with Skype’s owner, Microsoft.
A BAA is necessary if a vendor creates, receives, maintains, or transmits ePHI on behalf of a HIPAA-covered entity or its BA. However, there is a debate whether a covered entity needs to obtain a BAA with Microsoft when using Skype because of the HIPAA Conduit Rule.
The Conduit Rule allows covered entities to use services from a third-party provider without entering into a BAA. The rule applies if the provider transmits PHI or ePHI but doesn’t have access to it and doesn’t store it. Many believe that Skype is under the Conduit Rule in the sense that the platform is merely a channel for the transmission of data. However, guidance issued by the Office for Civil Rights (OCR) confirms that the Conduit Rule does not typically apply to software-as-a-service (SaaS) providers. Skype is a SaaS platform.
Even though Skype does not create PHI, it does receive and transmit ePHI. That’s why it is a BA, and you need to enter into a written agreement with Microsoft before you can use it as your communication channel for telemedicine. But the free Skype version doesn’t satisfy HIPAA regulations.
Skype is not HIPAA-compliant by default, even with a BAA. When signing a BAA with Microsoft, make sure it includes Skype for Business because the free version does not meet the required safeguards to be HIPAA compliant.
Skype for Business Enterprise E3 and E5 packages contain system measures to ensure a HIPAA compliant platform. Any other version of Skype does not meet HIPAA rules.
According to the HIPAA Security Rule, both HIPAA-covered entities and their BAs (Skype in this case) need to safeguard and protect PHI and ePHI.
Your BA must implement all the technical safeguards required under HIPAA, including:
The following are safeguards available for Skype for Business Enterprise E3 and E5 packages that satisfy HIPAA compliance:
Skype requires users to have unique identifiers (usernames, emails, or phone numbers) to access their profiles under the HIPAA Security Rule. You must activate access controls on all the devices your organization uses. That ensures that only authorized members within your organization have access to PHI.
HIPAA requires all covered entities and BAs to maintain activity logs showing the sequence of all the events in the system. Audit controls must provide information about each access or attempted access to PHI, as well as any changes introduced to the relevant data.
After a period of inactivity, an electronic session should end automatically to prevent unauthorized access to your system. Automatic logoff is a vital feature if someone forgets to log out after a telemedicine session. The free version of Skype doesn’t offer this option; the E3 or E5 Skype for Business package does. However, the logoff feature isn’t available by default; you must enable it.
Although HIPAA advises encryption on ePHI, it’s not mandatory. HIPAA doesn’t obligate you to implement technical measures to protect ePHI. That responsibility is for your BA. However, you must consider encryption to keep patient data safe. Skype meets this standard using AES 256-bit encryption — generally regarded as high-level encryption.
However, you should be mindful of the Skype-to-phone calls option. There is no data encryption in that type of communication, which means unauthorized access can intercept or misuse the data.
Skype for Business can be HIPAA compliant if you purchase the Enterprise E3 or E5 package. Any other version of Skype, especially the free version, does not satisfy HIPAA requirements.
However, you must not entirely rely on Skype’s HIPAA compliance upon purchasing the Business Enterprise E3 or E5 package. It is down to a covered entity to make sure that the Skype version they use is HIPAA compliant.
The following are crucial steps covered entities must do to ensure and secure HIPAA compliance using Skype:
Even with a BAA and the correct package, there is still a chance for HIPAA violations to take place when using Skype for Business. The good news is that Skype isn’t the only option. There are HIPAA-compliant platforms built specifically for use by healthcare providers practicing telemedicine.
One of the most reliable systems and much more straightforward for HIPAA compliance is Curogram. This telemedicine solution can replicate the interaction in an in-person visit in a virtual environment.
Unlike Skype, that’s used for general communication but does not ensure HIPAA compliance, Curogram complies 100% with HIPAA.
Instead of jumping on a call with the patient straight away on Skype, you can replicate the workflow of a physical visit with Curogram. The platform customizes workflows for doctors, medical staff, and patients to get properly onboarded before they get to the virtual appointment.
Moreover, Curogram is a 2-way texting platform explicitly built for telemedicine. You can text the link of the appointment to your patient, and they can simply click the link to direct them to the virtual appointment; no need to download any app.
Curogram’s virtual waiting room allows you to see how many patients are waiting, whether they’re ready, or if medical associates are in there preparing them. Skype certainly can’t offer you this option. You would have to figure out a different way to prepare your patients and yourself before the appointment.
Curogram’s system features all HIPAA Security Rule technical guards, including audit controls, emergency access procedures, automatic logoff, and encryption and decryption.
Healthcare professionals choose Curogram over Skype because:
With Curogram, you and your team don’t have to worry about fulfilling legal requirements when using telemedicine virtual visits and can focus on what you do best — providing quality healthcare services.