This week we had an interesting discussion on Twitter about whether Skype was HIPAA Compliant or not? Well, there is a simple answer to this one, No.
Wait, why not? Well, they encrypt the data stream using 256-bit encryption, it’s convenient because people are quite familiar with this product, and it’s free to use. So it sounds like a great product to use when communicating with your patients and clients, right? Encryption alone does not a HIPAA compliant product make.
To illustrate how serious this issue is, a doctor was disciplined for using Skype to diagnose and treat patients. He was hit with a 2-year suspension of his license. This wasn’t solely for the use of Skype; he was diagnosing and prescribing medicines to patients he had never met, and one of his patients died, which sparked the audit. The medical board determined that Skype was not an approved Telemedicine communication device.
Microsoft which owns Skype won’t sign a Business Associate Agreement or Business Associate Subcontractor Agreement* with you. This means using Skype is a big no-no for anyone who deals with PHI. Remember, you must have agreements in place with EVERY outside contractor your practice/company uses. This means your records storage and shredding companies, attorney, accountant, cleaning company, IT companies, just to name a few. It is your responsibility to list all of your contractors, make sure that you have up-to-date Business Associate Agreements on file for all contractors. If you haven’t updated those within the last year, this means that you need to rework those agreements. There have been many changes to HIPAA since last year, and you are required to reflect these changes in your agreements.
With the common agency provision in HIPAA, you’re now required to make sure your contractors are HIPAA compliant. This means review agreements, and ask to see both Privacy and Security Policies and Procedures. If your contractors can’t or won’t produce those items, it’s time to find some new folks to work with.
This is your business and livelihood we are talking about, and you need to protect yourself at every turn!
Stay HIPAA Compliant, my friends!
*Remember, covered entities have business associates and business associates have subcontractors. This means covered entities send out business associate agreements, and business associates send out business associate subcontractor agreements.