• Home
  • Store
    • Newsletter Subscriptions
    • Multimedia
    • Books
    • eBooks
    • ABPN SA Courses
    • Social Work Courses
  • CME Center
  • Multimedia
    • Podcast
    • Webinars
    • Blog
    • Psychiatry News Videos
    • Medication Guide Videos
  • Newsletters
    • General Psychiatry
    • Child Psychiatry
    • Addiction Treatment
    • Hospital Psychiatry
    • Geriatric Psychiatry
    • Psychotherapy and Social Work
  • FAQs
  • Med Fact Book App
  • Log In
  • Register
  • Welcome
  • Sign Out
  • Subscribe
Home » Are Skype, FaceTime, and Google Hangouts HIPAA Compliant?

Are Skype, FaceTime, and Google Hangouts HIPAA Compliant?

October 1, 2015
Daniel Carlat, MD
From The Carlat Psychiatry Report
Issue Links: Learning Objectives | Editorial Information | PDF of Issue
Daniel Carlat, MD Editor-in-Chief, Publisher, The Carlat Report. Dr. Carlat has disclosed that he has no relevant relationships or financial interests in any commercial company pertaining to this educational activity.

As you undoubtedly know, one of the purposes of HIPAA, a law originally passed in 1996, is to regulate the flow of protected health information (PHI). It says that you are allowed to communicate PHI in certain circumstances—like to collaborate with other doctors or to get paid by insurance companies. But it also lays out a series of safeguards that you have to take to make sure nobody outside this circle of knowing gets their hands on PHI. For example, you have to make sure you or your staff don’t talk about patients in public, you shouldn’t leave charts out where people can see them, and if you use an electronic health record (EHR), you have to make sure that it has a good protocol to prevent data breaches.

Applying HIPAA to telemedicine has proven to be pretty tricky. A decade ago, most of us believed that the only way to ensure secure videoconferencing was to pay for expensive “HIPAA-compliant” videoconferencing equipment. This severely limited telemedicine’s economic feasibility. But things are changing. There are many more free or nearly free videoconferencing platforms, and most patients and doctors are quite comfortable using them.

Unfortunately, there is no agreement on whether all the free platforms are HIPAA compliant. One source of confusion is the misconception that a specific technology can even be “HIPAA compliant.” In fact, the only entities that can be HIPAA compliant are providers themselves. The federal government requires only that we take “reasonable administrative, technical, and physical safeguards” to ensure the confidentiality of patient information. Furthermore, the HIPAA Privacy Rule is “flexible and does not prescribe any specific practices or actions that must be taken by covered entities” (source).

This means that you have to use your own judgment regarding what technologies are private enough, based on guidance provided in the HIPAA law. Instead of “HIPAA compliant,” the better term for evaluating these systems would be “HIPAA compatibility,” and there is a spectrum here. Systems can be more HIPAA compatible, or less.

There are three HIPAA guidelines that relate to telemedicine: 
1. Encryption. All communication between you and your patient should be protected, and the best way to achieve this is to encrypt such information. Encryption ensures that if anybody hacks into your conversation, all they will see is gobbledygook—unless they have the encryption key. Skype, FaceTime, and Google Hangouts all encrypt their data, probably at a level that is stringent enough to meet HIPAA guidelines.

2. Business Associate Agreement (BAA). HIPAA defines a “business associate” as any company that: a) helps you run your practice, and b) has access to PHI. Business associates include your billing company, your answering service, your transcriptionist, your EHR vendor, and others. All these services require either storage of PHI or entrusting people to see the information. HIPAA requires that all of these specially defined business associate sign a contract stating that they will keep your patients’ health information secret. This is the so-called business associates agreement, or BAA.

Skype, FaceTime, and Google Hangouts do not offer such agreements (though Skype offers a paid business version that does). So they’re not HIPAA compatible, right? Probably wrong—because of a HIPAA provision called the “mere conduit” exception. If a company is not in the business of actually storing PHI, but simply helps to transmit it from point A to point B, then it doesn’t have to sign a HIPAA business agreement. The analogy often used is a mail courier service, like FedEx. FedEx transports packages from place to place, but the company does not open them. Similarly, Skype transmits encrypted information but does not look at it or store it anywhere for review.

Not everyone agrees that Skype qualifies as a “mere conduit.” A common argument is that since Skype cooperates with law enforcement to investigate criminal communication, this means that the company does have a digital “back door” that could potentially be hacked by the bad guys (though this has not happened). Because of this admittedly remote possibility, some people contend that Skype should be treated like a business associate.

We don’t agree with that argument, but we acknowledge that it is a debatable point. For us, the fact that Skype (and FaceTime and Google Hangouts) securely encrypt all transmissions makes these technologies sufficiently HIPAA compatible.

As a bit of an aside, given the gnashing of teeth about Skype’s privacy, why don’t we ever hear worries about the simple telephone? Surely the phone, the constant victim of wiretaps in crime dramas, can’t be HIPAA compatible? Most experts seem to avoid this question—but some say that tapping a phone is actually much harder than hacking into email. That’s good enough for me!

3. Monitoring for breaches. You’re supposed to have a way of monitoring any communication you use for breaches, and the government should be able to audit it. Skype won’t provide you with a report like this. On the other hand, there have been no reports of hackers actually listening in on conversations—the main risk is that hackers could look at your call log.

The bottom line is that Skype, FaceTime, and Google Hangouts are all encrypted video platforms that are widely adopted, easy to use, and free. Their official HIPAA compatibility is the subject of ongoing debate, but many clinicians use them anyway.

For an excellent in-depth discussion of Skype’s HIPAA issues, see the free Web article here.

For a good overview of HIPAA in general for psychiatrists, see the APA website (available to APA members only).
General Psychiatry
KEYWORDS free_articles practice_tools_and_tips
    Carlat 150x150
    Daniel Carlat, MD

    Medication Fact Book for Psychiatric Practice, Seventh Edition (2024)

    More from this author
    www.thecarlatreport.com
    Issue Date: October 1, 2015
    SUBSCRIBE NOW
    Table Of Contents
    Telepsychiatry: What You Need to Know
    Integrating Technology in Your Practice
    Are Skype, FaceTime, and Google Hangouts HIPAA Compliant?
    DOWNLOAD NOW
    Featured Book
    • MFB7e_Print_App_Access.png

      Medication Fact Book for Psychiatric Practice, Seventh Edition (2024) - Regular Bound Book

      The updated 2024 reference guide covering the most commonly prescribed medications in psychiatry.
      READ MORE
    Featured Video
    • KarXT (Cobenfy)_ The Breakthrough Antipsychotic That Could Change Everything.jpg
      General Psychiatry

      KarXT (Cobenfy): The Breakthrough Antipsychotic That Could Change Everything

      Read More
    Featured Podcast
    • shutterstock_2622607431.jpg
      General Psychiatry

      Should You Test MTHFR?

      MTHFR is a...
      Listen now
    Recommended
    • Join Our Writing Team

      July 18, 2024
      WriteForUs.png
    • Insights About a Rare Transmissible Form of Alzheimer's Disease

      February 9, 2024
      shutterstock_2417738561_PeopleImages.com_Yuri A.png
    • How to Fulfill the DEA's One Time, 8-Hour Training Requirement for Registered Practitioners

      May 24, 2024
      DEA_Checkbox.png
    • Join Our Writing Team

      July 18, 2024
      WriteForUs.png
    • Insights About a Rare Transmissible Form of Alzheimer's Disease

      February 9, 2024
      shutterstock_2417738561_PeopleImages.com_Yuri A.png
    • How to Fulfill the DEA's One Time, 8-Hour Training Requirement for Registered Practitioners

      May 24, 2024
      DEA_Checkbox.png
    • Join Our Writing Team

      July 18, 2024
      WriteForUs.png
    • Insights About a Rare Transmissible Form of Alzheimer's Disease

      February 9, 2024
      shutterstock_2417738561_PeopleImages.com_Yuri A.png
    • How to Fulfill the DEA's One Time, 8-Hour Training Requirement for Registered Practitioners

      May 24, 2024
      DEA_Checkbox.png

    About

    • About Us
    • CME Center
    • FAQ
    • Contact Us

    Shop Online

    • Newsletters
    • Multimedia Subscriptions
    • Books
    • eBooks
    • ABPN Self-Assessment Courses

    Newsletters

    • The Carlat Psychiatry Report
    • The Carlat Child Psychiatry Report
    • The Carlat Addiction Treatment Report
    • The Carlat Hospital Psychiatry Report
    • The Carlat Geriatric Psychiatry Report
    • The Carlat Psychotherapy Report

    Contact

    carlat@thecarlatreport.com

    866-348-9279

    PO Box 626, Newburyport MA 01950

    Follow Us

    Please see our Terms and Conditions, Privacy Policy, Subscription Agreement, Use of Cookies, and Hardware/Software Requirements to view our website.

    © 2025 Carlat Publishing, LLC and Affiliates, All Rights Reserved.