Is Skype HIPAA compliant? No, it’s not.

The question “Is Skype HIPAA compliant” comes up among therapists all the time. The bottom line is that Skype is not compliant. So if you’re a US based therapist, Skype therapy is a violation of the law. Google Hangouts is also not compliant. This may come as a shock or disappointment to those who have used Skype or Google Hangouts for therapy, but the law is pretty clear.

Microsoft and their Business Associates Agreement

Some Microsoft products, such as Office 365 are HIPAA compliant. Read Microsoft’s HIPAA information here. Notice that Skype is not mentioned. There’s no mention of it anywhere in the agreement. HIPAA and the companion HITECH act require certain safeguards to be in place. While Skype communication itself is encrypted, that doesn’t itself ensure compliance. For example, chat transcripts from Skype sessions are maintained on Microsoft servers. The record that you communicated with someone over Skype is also maintained on Microsoft servers. The actual video itself isn’t recorded (that we know of,) however the actual content of the session isn’t the HIPAA exposure point — it’s the fact that there was a session at all and all metadata associated with that session. For example, the duration of the session, the participants of the session as well as any text chat content — all of that is stored on Microsoft servers that are not covered by their business associates agreement.

What about Google Hangouts?

Google does offer BAAs for some of their products, a very narrow range of products that does not include Hangouts. In fact, Google hangouts is a “social” feature, so the fact that your client participated in a hangout with you could possibly be published to their Google Plus profile, depending on their privacy settings.

Skype and Hangouts are great — just not for online therapy.

Skype was never designed to be a HIPAA compliant video conferencing tool. It’s a social application designed for friends and family to chat. There’s nothing wrong with Skype or Hangouts — I use those tools every day to communicate with our business and development teams, however as a tool for secure online therapy, it’s the same as using a screwdriver to cook pasta. It’s the wrong tool.

One of the main reasons many therapists use Skype for online counseling is because of its ubiquitousness as well as the cost. You can’t get much cheaper than free! Most dedicated telehealth solutions charge a per-minute fee or a monthly access cost. At iCouch, we use a flat rate for unlimited access to our secure video platform, however that cost also includes a bunch of other HIPAA compliant cloud practice management tools, such as scheduling and secure messages. The reason for the necessity of charging for access is because frankly, enterprise-level security isn’t cheap. It requires a more complex infrastructure as well as constant security monitoring, among other things. The development costs are much higher as well because creating a purpose-built solution for online therapy has far different requirements than a social networking tool like Skype.

Regardless of the solution you use for online therapy, be sure that the vendor will provide a Business Associates Agreement. That’s the key to ensuring that you have exercised proper diligence in terms of the law.

What do you think? Have you used Skype for online counseling? What other technologies are you concerned about? Please leave your thoughts in the comments below!

Published by Brian Dear

Brian is the cofounder and CEO of iCouch, Inc. He has an extensive background in software engineering, inbound marketing and mental health practice management.

Join the Conversation

6 Comments

  1. Is skype FERPA-compliant? If I am a staff at a University and a student agrees to meet with me via skype instead of in person, is this a violation of FERPA? Would I need the student to sign a release (assuming they are age 18 or above)? Thank you!

    1. Disclaimer: The following is not legal advice:

      If you are providing mental health services, via Skype, then of course HIPAA is going to be the prevailing law. If you ar a teacher or guidance counselor/advisor providing non-health services to a student via Skype, then it’s likely not a FERPA violation since having a conversation with you isn’t considered an “academic record.” Meaning FERPA covers records releases, but doesn’t really address communications processes. For example, in mental health the “product” or the “treatment” is a meeting with a practitioner. So by disclosing that a practitioner met with a person/client/patient, that’s disclosing that the person provisioned health care (which is considered protected health information.) However, a student contacting an advisor/teacher/faculty at a university — that’s not a “record” per se.

      Feel free to obtain a release, but if it were me, I wouldn’t bother. FERPA is a lot less comprehensive than HIPAA.

      Hope that helps!

Leave a comment

Your email address will not be published. Required fields are marked *