Daniel Carlat, MD
Editor-in-Chief, Publisher, The Carlat Report.
Dr. Carlat has disclosed that he has no relevant relationships or financial interests in any commercial company pertaining to this educational activity.
As you undoubtedly know, one of the purposes of HIPAA, a law originally passed in 1996, is to regulate the flow of protected health information (PHI). It says that you are allowed to communicate PHI in certain circumstances—like to collaborate with other doctors or to get paid by insurance companies. But it also lays out a series of safeguards that you have to take to make sure nobody outside this circle of knowing gets their hands on PHI. For example, you have to make sure you or your staff don’t talk about patients in public, you shouldn’t leave charts out where people can see them, and if you use an electronic health record (EHR), you have to make sure that it has a good protocol to prevent data breaches.
Applying HIPAA to telemedicine has proven to be pretty tricky. A decade ago, most of us believed that the only way to ensure secure videoconferencing was to pay for expensive “HIPAA-compliant” videoconferencing equipment. This severely limited telemedicine’s economic feasibility. But things are changing. There are many more free or nearly free videoconferencing platforms, and most patients and doctors are quite comfortable using them.
Unfortunately, there is no agreement on whether all the free platforms are HIPAA compliant. One source of confusion is the misconception that a specific technology can even be “HIPAA compliant.” In fact, the only entities that can be HIPAA compliant are providers themselves. The federal government requires only that we take “reasonable administrative, technical, and physical safeguards” to ensure the confidentiality of patient information. Furthermore, the HIPAA Privacy Rule is “flexible and does not prescribe any specific practices or actions that must be taken by covered entities” (source).
This means that you have to use your own judgment regarding what technologies are private enough, based on guidance provided in the HIPAA law. Instead of “HIPAA compliant,” the better term for evaluating these systems would be “HIPAA compatibility,” and there is a spectrum here. Systems can be more HIPAA compatible, or less.
There are three HIPAA guidelines that relate to telemedicine: 1. Encryption. All communication between you and your patient should be protected, and the best way to achieve this is to encrypt such information. Encryption ensures that if anybody hacks into your conversation, all they will see is gobbledygook—unless they have the encryption key. Skype, FaceTime, and Google Hangouts all encrypt their data, probably at a level that is stringent enough to meet HIPAA guidelines.
2. Business Associate Agreement (BAA). HIPAA defines a “business associate” as any company that: a) helps you run your practice, and b) has access to PHI. Business associates include your billing company, your answering service, your transcriptionist, your EHR vendor, and others. All these services require either storage of PHI or entrusting people to see the information. HIPAA requires that all of these specially defined business associate sign a contract stating that they will keep your patients’ health information secret. This is the so-called business associates agreement, or BAA.
Skype, FaceTime, and Google Hangouts do not offer such agreements (though Skype offers a paid business version that does). So they’re not HIPAA compatible, right? Probably wrong—because of a HIPAA provision called the “mere conduit” exception. If a company is not in the business of actually storing PHI, but simply helps to transmit it from point A to point B, then it doesn’t have to sign a HIPAA business agreement. The analogy often used is a mail courier service, like FedEx. FedEx transports packages from place to place, but the company does not open them. Similarly, Skype transmits encrypted information but does not look at it or store it anywhere for review.
Not everyone agrees that Skype qualifies as a “mere conduit.” A common argument is that since Skype cooperates with law enforcement to investigate criminal communication, this means that the company does have a digital “back door” that could potentially be hacked by the bad guys (though this has not happened). Because of this admittedly remote possibility, some people contend that Skype should be treated like a business associate.
We don’t agree with that argument, but we acknowledge that it is a debatable point. For us, the fact that Skype (and FaceTime and Google Hangouts) securely encrypt all transmissions makes these technologies sufficiently HIPAA compatible.
As a bit of an aside, given the gnashing of teeth about Skype’s privacy, why don’t we ever hear worries about the simple telephone? Surely the phone, the constant victim of wiretaps in crime dramas, can’t be HIPAA compatible? Most experts seem to avoid this question—but some say that tapping a phone is actually much harder than hacking into email. That’s good enough for me!
3. Monitoring for breaches. You’re supposed to have a way of monitoring any communication you use for breaches, and the government should be able to audit it. Skype won’t provide you with a report like this. On the other hand, there have been no reports of hackers actually listening in on conversations—the main risk is that hackers could look at your call log.
The bottom line is that Skype, FaceTime, and Google Hangouts are all encrypted video platforms that are widely adopted, easy to use, and free. Their official HIPAA compatibility is the subject of ongoing debate, but many clinicians use them anyway.