The question “Is Skype HIPAA compliant” comes up among therapists all the time. The bottom line is that Skype is not compliant. So if you’re a US based therapist, Skype therapy is a violation of the law. Google Hangouts is also not compliant. This may come as a shock or disappointment to those who have used Skype or Google Hangouts for therapy, but the law is pretty clear.
Microsoft and their Business Associates Agreement
Some Microsoft products, such as Office 365 are HIPAA compliant. Read Microsoft’s HIPAA information here. Notice that Skype is not mentioned. There’s no mention of it anywhere in the agreement. HIPAA and the companion HITECH act require certain safeguards to be in place. While Skype communication itself is encrypted, that doesn’t itself ensure compliance. For example, chat transcripts from Skype sessions are maintained on Microsoft servers. The record that you communicated with someone over Skype is also maintained on Microsoft servers. The actual video itself isn’t recorded (that we know of,) however the actual content of the session isn’t the HIPAA exposure point — it’s the fact that there was a session at all and all metadata associated with that session. For example, the duration of the session, the participants of the session as well as any text chat content — all of that is stored on Microsoft servers that are not covered by their business associates agreement.
What about Google Hangouts?
Google does offer BAAs for some of their products, a very narrow range of products that does not include Hangouts. In fact, Google hangouts is a “social” feature, so the fact that your client participated in a hangout with you could possibly be published to their Google Plus profile, depending on their privacy settings.
Skype and Hangouts are great — just not for online therapy.
Skype was never designed to be a HIPAA compliant video conferencing tool. It’s a social application designed for friends and family to chat. There’s nothing wrong with Skype or Hangouts — I use those tools every day to communicate with our business and development teams, however as a tool for secure online therapy, it’s the same as using a screwdriver to cook pasta. It’s the wrong tool.
One of the main reasons many therapists use Skype for online counseling is because of its ubiquitousness as well as the cost. You can’t get much cheaper than free! Most dedicated telehealth solutions charge a per-minute fee or a monthly access cost. At iCouch, we use a flat rate for unlimited access to our secure video platform, however that cost also includes a bunch of other HIPAA compliant cloud practice management tools, such as scheduling and secure messages. The reason for the necessity of charging for access is because frankly, enterprise-level security isn’t cheap. It requires a more complex infrastructure as well as constant security monitoring, among other things. The development costs are much higher as well because creating a purpose-built solution for online therapy has far different requirements than a social networking tool like Skype.
Regardless of the solution you use for online therapy, be sure that the vendor will provide a Business Associates Agreement. That’s the key to ensuring that you have exercised proper diligence in terms of the law.