Luminello is teaming up with SimplePractice. Current customers can learn more about the change. Not a Luminello customer? Explore your options.

Private Practice Hub

Telemedicine: Are Skype, FaceTime, and Google Hangouts HIPAA Compliant?

As you undoubtedly know, one of the purposes of HIPAA, a law originally passed in 1996, is to regulate the flow of protected health information (PHI). It says that you are allowed to communicate PHI in certain circumstances—like to collaborate with other doctors or to get paid by insurance companies. But it also lays out a series of safeguards that you have to take to make sure nobody outside this circle of knowing gets their hands on PHI. For example, you have to make sure you or your staff don’t talk about patients in public, you shouldn’t leave charts out where people can see them, and if you use an electronic health record (EHR), you have to make sure that it has a good protocol to prevent data breaches.

Applying HIPAA to telemedicine has proven to be pretty tricky. A decade ago, most of us believed that the only way to ensure secure videoconferencing was to pay for expensive “HIPAA-compliant” videoconferencing equipment. This severely limited telemedicine’s economic feasibility. But things are changing. There are many more free or nearly free videoconferencing platforms, and most patients and doctors are quite comfortable using them.

Unfortunately, there is no agreement on whether all the free platforms are HIPAA compliant. One source of confusion is the misconception that a specific technology can even be “HIPAA compliant.” In fact, the only entities that can be HIPAA compliant are providers themselves. The federal government requires only that we take “reasonable administrative, technical, and physical safeguards” to ensure the confidentiality of patient information. Furthermore, the HIPAA Privacy Rule is “flexible and does not prescribe any specific practices or actions that must be taken by covered entities” (source).

This means that you have to use your own judgment regarding what technologies are private enough, based on guidance provided in the HIPAA law. Instead of “HIPAA compliant,” the better term for evaluating these systems would be “HIPAA compatibility,” and there is a spectrum here. Systems can be more HIPAA compatible, or less.

There are three HIPAA guidelines that relate to telemedicine:

1. Encryption. All communication between you and your patient should be protected, and the best way to achieve this is to encrypt such information. Encryption ensures that if anybody hacks into your conversation, all they will see is gobbledygook—unless they have the encryption key. Skype, FaceTime, and Google Hangouts all encrypt their data, probably at a level that is stringent enough to meet HIPAA guidelines.

2. Business Associate Agreement (BAA). HIPAA defines a “business associate” as any company that: a) helps you run your practice, and b) has access to PHI. Business associates include your billing company, your answering service, your transcriptionist, your EHR vendor, and others. All these services require either storage of PHI or entrusting people to see the information. HIPAA requires that all of these specially defined business associate sign a contract stating that they will keep your patients’ health information secret. This is the so-called business associates agreement, or BAA.

Skype, FaceTime, and Google Hangouts do not offer such agreements (though Skype offers a paid business version that does). So they’re not HIPAA compatible, right? Probably wrong—because of a HIPAA provision called the “mere conduit” exception. If a company is not in the business of actually storing PHI, but simply helps to transmit it from point A to point B, then it doesn’t have to sign a HIPAA business agreement. The analogy often used is a mail courier service, like FedEx. FedEx transports packages from place to place, but the company does not open them. Similarly, Skype transmits encrypted information but does not look at it or store it anywhere for review.

Not everyone agrees that Skype qualifies as a “mere conduit.” A common argument is that since Skype cooperates with law enforcement to investigate criminal communication, this means that the company does have a digital “back door” that could potentially be hacked by the bad guys (though this has not happened). Because of this admittedly remote possibility, some people contend that Skype should be treated like a business associate.

I don’t agree with that argument, but acknowledge that it is a debatable point. For us, the fact that Skype (and FaceTime and Google Hangouts) securely encrypt all transmissions makes these technologies sufficiently HIPAA compatible.

As a bit of an aside, given the gnashing of teeth about Skype’s privacy, why don’t we ever hear worries about the simple telephone? Surely the phone, the constant victim of wiretaps in crime dramas, can’t be HIPAA compatible? Most experts seem to avoid this question—but some say that tapping a phone is actually much harder than hacking into email. That’s good enough for me!

3. Monitoring for breaches. You’re supposed to have a way of monitoring any communication you use for breaches, and the government should be able to audit it. Skype won’t provide you with a report like this. On the other hand, there have been no reports of hackers actually listening in on conversations—the main risk is that hackers could look at your call log.

The bottom line is that Skype, FaceTime, and Google Hangouts are all encrypted video platforms that are widely adopted, easy to use, and free. Their official HIPAA compatibility is the subject of ongoing debate, but many clinicians use them anyway.

See this excellent in-depth discussion of Skype’s HIPAA issues.

For a good overview of HIPAA in general for psychiatrists, see the APA website (available to APA members only).

Source: We thank The Carlat Psychiatry Report for allowing us to re-post this article. Luminello subscribers get a discount on The Carlat Report newsletters, books, CME credit opportunities, and ABPN Maintenance of Certification courses. Learn more

Share:

Contact us

Let us help you build and grow your practice

Strategy from the experts, delivered to your doorstep.

Groups Pricing

THERAPIST LITE
THERAPIST UNLIMITED
PRESCRIBE LITE
PRESCRIBE UNLIMITED
Pay Annually
(per month, per clinician)

$19

$39

$79

$119

Pay Monthly
(per month, per clinician)

$29

$49

$99

$149

AMA CPT® code annual use license

Prescriber Pricing

ERX ONLY PLAN
PRESCRIBER LITE
PRESCRIBER UNLIMITED
Pay Annually
(per month, per clinician)

$39

$79

$119

Pay Monthly
(per month, per clinician)

$49

$99

$149

Therapist Pricing

ESSENTIALS
THERAPIST LITE
THERAPIST UNLIMITED
Pay Annually
(per month, per clinician)

$0

$19

$39

Pay Monthly
(per month, per clinician)

$0

$29

$49

Monitor clinician & practice quality indicators

Measurement-based care

Practice management reports

Notes per month

Group Practice: Total EMR Cost Comparison

Group practice pricing calculator

Select the number of licenses for your team from each plan to see the subscription cost.

Group practices

Automated chart importing

Unlimited admin assistants

Invoicing + auto-pay

Pre-screen form in public profile

Get started with paperwork quickly!

Additional premium-plan support options

Expand Your Practice with Telehealth

Expand Your Practice with Telehealth

E-prescribing

Custom chart importing

We offer additional help to make importing your data and charts faster and easier.

Insurance claim submissions

Easily submit insurance claims via our partner ApexEDI

Integrate credit card payments into your charts

Live customer support    Chart integration    Portal payments

Together with our partner Bluefin, we offer credit card functionality integrated into your charts, client/patient portal payments, competitive rates, PCI security compliance support, and a human on the other end of the phone if you have questions.

credit card pricing

Contact us or Bluefin directly at 800-675-6573 ext:7802

Custom forms & templates

Hire us to create custom questionnaires and templates for you.

Order labs electronically

Enhanced messaging

Enhanced patient/client portal

Patients/clients can:

Keep your practice in sync

Manages your tasks across your entire practice and every chart

Charts shortcuts

Save time. Let them book online.

Online booking allows your patients/clients to book appointment via the portal for exactly when, what, and where you specify.

Easy-to-use rating scales

Integrated assessment tools with just a few clicks.

Create custom questionnaires

Our questionnaire form builder allows you to create your own forms for your patients/clients to complete.

Create custom note templates

Our form builder allows you to create your own unique note templates for your practice.

E-prescribing

Due to the highly regulated nature of e-prescribing, set up is a multi-step process that includes identity proofing, working with a “trusted assistant” and setting up a second device to give you one-time codes. But don’t worry, we’re here to get you through it…and we promise e-prescribing is a breeze once set-up is complete!