As coronavirus sweeps the country, the patient load swamps the ability of health care professionals to deal with the crisis. In the United States, one measure used to expand capacity is telemedicine. Consequently, one concern that has taken on an increasing urgency is whether FaceTime and Skype are HIPAA compliant. Experts diverge in their answers. That said, it is my assessment that they are. My conclusion hinges on the following analysis.
By way of background, President Trump’s declaration of emergency contains a specific provision allowing the Secretary of Health and Human Services to relax certain HIPAA standards. This reflects the Administration’s approach where the current emergency requires regulatory flexibility.
Turning to technology, one HIPAA objective is to control protected health information (PHI) access. Individuals needing access (e.g., to get payment) are entitled to it. But PHI is to be protected from others.
Applying HIPAA to Skype and FaceTime is knotty. At first, physicians, patients, and the health community hesitated to venture outside specialized and pricey HIPAA compliant equipment. The proliferation of smartphones brought free videoconferencing capabilities to most Americans. Patients and healthcare professionals alike were comfortable using them for work.
Unfortunately, there is no consensus on whether FaceTime and Skype are HIPAA compliant. HHS mandates only “reasonable administrative, technical, and physical safeguards” to protect PHI. Furthermore, the HIPAA Privacy Rule is flexible. It does not mandate specific practices or actions that must be taken by covered entities. (see https://www.healthit.gov/sites/default/files/nationwide-ps-framework-5.pdf)
There are three HIPAA guidelines that relate to using FaceTime or Skype, the first rule is encryption. All PHI must be protected. The best way to do so is through encryption. Encryption ensures that a hacker without the encryption key accessing your PHI dialogue will get only gibberish. Both Skype and FaceTime encrypt their data. Thus, their encryption is probably sufficiently stringent to meet HIPAA benchmarks.
Second, there is the Business Associate Agreement (BAA) requirement. The Business Associate is one of your vendors with access to your PHI. HIPAA requires Business Associates to commit contractually to protect PHI. This is the so-called business associates agreement, or BAA.
Skype and FaceTime will not sign BAAs (though Skype offers a paid business version that does). Even so, they are covered by HIPAA’s “mere conduit” exception. If a company merely transmits PHI from point A to point B, then it doesn’t have to sign a BAA. The analogy often used is the mail service. The United States Postal Service transports packages, but does not open them. Similarly, Skype transmits encrypted PHI. But it neither stores nor reviews it.
Some skeptics challenge the use of the “mere conduit” provision for Skype or FaceTime. One argument is that Skype cooperates with police. This requires a backdoor that hackers could potentially exploit. Because of this admittedly remote possibility, some people contend that Skype should be treated like a business associate.
It is a debatable point. My assessment is that Skype and FaceTime’s PHI encryption meets the HIPAA threshold. Both services are better protected than the regular telephone. If a physician can use a telephone to discuss PHI, logic dictates that he can also do so over Skype or FaceTime.
Finally, HIPAA requires that HHS be able to audit communications for breaches. FaceTime and Skype do not currently support this. On the other hand, there is no known instance of hackers acquiring PHI communication. Building on the telephone analogy, no telephone provider has the wherewithal to detect a breach should one occur. And unlike AT&T and Verizon, Skype and FaceTime are encrypted.
The Department of Veterans’ Affairs accepts Skype and FaceTime as HIPAA compliant. Other providers are available for practices that seek more stringent safeguards. In the meantime, the debate over Skype and FaceTime’s HIPAA compliance has raged for a decade. OCR has cited no entity for their use in that time. It is unlikely to do so during a global health emergency.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.