First released in 2003, Skype offers free, worldwide video access to any patient with an Internet connection, either by mobile device or desktop computer. What it does not offer, however, is a means of communication clearly suitable for clinical services—especially in mental health. According to estimates reported by groups such as the Institute for Healthcare Consumerism, telehealth is poised to grow by 55% in 2013 alone, and 6-fold by 2017.1,2 Wisely or otherwise, some of this growth will likely occur via Skype. Thus, it is prudent to consider the issues.
The Health Insurance Portability and Accountability Act
Ordinarily, neither federal nor state law is designed to regulate specific proprietary entities such as Skype and its competitors. Video-chat platforms were developed for marketing to the general consumer, and not for health care. The Health Insurance Portability and Accountability Act (HIPAA) holds professionals responsible for conducting their own internal risk assessments regarding their chosen technologies. Before using any equipment, the professional should require documentation that explicitly promises ”HIPAA compliance” or “HPAA compatibility.” One could take further comfort in a designation of Federal Information Processing Standard (FIPS) certification, a standard that may meet and exceed HPAA standards.3
HIPAA requires the use of equipment that allows for audit trails. According to the American Health Information Management Association, audit trails allow breaches to be traced.4 Like other proprietary platforms, Skype makes it impossible to conduct approved security audits via audit trails. Skype itself is not covered by HIPAA. HIPAA’s scope is restricted to providers, insurers, and health care clearinghouses that bill any patient’s health insurance electronically (or use a billing service that submits claims electronically), even if the client in question is self-pay.5
It is not certain that HIPAA applies to clinical use of Skype. If Skype were strictly a conduit for information, it might not satisfy the definition of a business associate. Text-based messages exchanged by parties using Skype, however, are stored for at least 6 months, likely making Skype more than a “simple conduit.”
Furthermore, as soon as one opens his computer or smart device, Skype’s settings allow it to automatically issue a real-time notice to everyone in one’s contact list, announcing that the person is now online. Skype also has had a problem with recurring hacks, such as the breach reported on November 14, 2012.6 Considering all these problems, whether HIPAA strictly applies to Skype becomes academic: the risks are not to be ignored.
In light of newly enacted, sweeping changes in privacy law, technology choice is more of a concern. Under these updated HIPAA rules, a professional’s “business associates” also have direct specific compliance obligations.7 Even if Skype is not a business associate, imposing compliance requirements directly on business associates, and not just indirectly through business associate agreements, implies renewed emphasis on enforcement.
In response to alleged physician violations of norms of online professionalism, state regulators have recently stepped up their enforcement. The HHS Office for Civil Rights (OCR) has also been hard at work. As OCR publishes monthly, enforcement of HIPAA has been sharply increasing,8 with private practices being the primary target for scrutinizing HIPAA violations. [Subsribe to OCR’s listserve to stay informed, OCR-Privacy-List.]
If a particular state law privacy or security requirement is more restrictive than HIPAA, then state law trumps HIPAA and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Among other provisions, HITECH increases the penalties that may be imposed for HIPAA violations and makes Business Associates directly liable for HIPAA violations. In some states (eg, Texas, California), privacy and security regimes are quite sophisticated and detailed. Issues related to privacy and security potentially involve jurisdiction of 3 sovereigns—the US federal government in Washington, D.C.; the practitioner’s state capitol; and, maybe the patient’s state capitol.
In a noteworthy statement regarding Skype, the National Social Worker’s Association (NASW)9 has stated:
Following the recommendations and protocols suggested by professional and security experts is valuable to reduce the risks of inadvertent disclosure of confidential mental health information when using Skype to provide confidential mental health services; however, use of Skype or similar VoIP communications systems still presents some privacy risks. Expanding access to mental health services in rural or underserved areas is an important value fostered by the availability of Skype services, but professional social work standards for security and privacy of data at this time are better supported by the use of electronic services and communications programs that are dedicated to the delivery of secure telemental health services and that offer detailed HIPAA compliance information and/or HIPAA Business Associate agreements.9(p2),10
A well-crafted informed consent document, combined with well-considered intake procedures, may diminish exposure to tort liability on consent theories. Considerations for such documents may include a discussion of power outages, for example, including their unpredictability. Whether the exchange will be recorded is pertinent to the informed consent process. Accurate documentation of informed consent demonstrates that after the provider disclosed the inherent risks, the patient said, “I understand and I still want to proceed.” In some states, however, this approach can fall short with vulnerable populations: the mentally ill, minors, those with protected conditions such as HIV, and other groups.
No informed consent process or agreement with a patient who will be using technology to mediate care will be adequate for all situations in all states of the US or foreign countries. Choosing technology wisely is of importance to mental health professionals, not only as we practice, but also as we make referrals to colleagues.
Professionals should inquire whether they might be held responsible for referrals to practitioners who are not informed of the risks of using consumer-grade as opposed to health-grade technology for care. Some HIPAA compatible platforms are available for $30 to $150 per month for unlimited use. [Note: A list of over 50 HIPAA compatible video teleconferencing (VTC) platforms is maintained at the TeleMental Health Institute.]
This area of the law is still in a relatively primitive state. It is apt to change considerably over time. Practitioners offering services at a distance are well advised to keep abreast of developments in the field, and to adapt their practices accordingly
It would be entirely possible to comply perfectly with applicable federal and state regulations and statutes and still face liability exposure as a result of using Skype or competing Web-based platforms. If an expert (this can merely be “someone in your field”) is prepared to say that in spite of compliance with applicable, positive law, statues, and regulations, your decisions represented a departure from what reasonable people in your field would do under similar circumstances, and if someone can make a colorable claim of having been harmed as a result of this alleged departure from accepted practice, nothing else may be required to create a jury issue and thus liability exposure.
1. Slabodkin B. Worldwide telehealth market to grow 55% in 2013. Fierce Mobile Healthcare. January 1, 2013. http://www.fiercemobilehealthcare.com/story/worldwide-telehealth-market-grow-55-2013/2013-01-01. Accessed March 8, 2013.
2. Terry K. Telehealth to grow six-fold by 2017. Information Week Healthcare. January 23, 2013. http://www.informationweek.com/healthcare/mobile-wireless/telehealth-to-grow-six-fold-by-2017/240146847. Accessed March 8, 2013.
3. National Institute of Standards and Technology (NIST). Federal information processing standards. http://www.nist.gov/itl/fips.cfm. Accessed March 8, 2013.
4. American Health Information Management Association. Security audits of electronic health information (updated). http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048702.hcsp?dDocName=bok1_048702. Accessed March 8, 2013.
5. Centers for Medicare and Medicaid Services. Covered entity charts. guidance on how to determine whether an organization or individual is covered entity under the Administrative Simplification provisions of HIPAA. http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf. Accessed March 8, 2013.
6. Skype: Reported Security Issue—RESOLVED. http://heartbeat.skype.com/2012/11/security_issue.html. Accessed March 8, 2013.
7. Heussner KM. Are health care companies prepared for the new HIPAA privacy and security rules? GigaOM. January 18, 2013. http://gigaom.com/2013/01/18/are-health-care-companies-prepared-for-the-new-hipaa-privacy-and-security-rules/. Accessed March 8, 2013.
8. US Department of Health & Human Services. Enforcement highlights (as of January 31, 2013). http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html. Accessed March 8, 2013.
9. National Association of Social Workers. Social workers and Skype: part I. 2011. http://www.socialworkers.org/ldf/legal_issue/2011/112011.asp.
10.Greysen SR, Chretien KC, Kind T, et al. Physician violations of online professionalism and disciplinary actions: a national survey of state medical boards. JAMA. 2012;307:1141-1142.