Skype and HIPAA: Myth Buster

The potential of home-based telepsychiatry assumes that both patient and remote physician use a clinically and technologically appropriate combination of encrypted consumer-based video-teleconferencing equipment (i.e. Skype (TM)) and high-speed internet to conduct routine psychiatric consultations from their own homes or offices.

One potential reason this process has not yet blossomed fully is the concern regarding confidentiality, especially as pertaining to the dreaded HIPAA Privacy Rule and health-related data transmission via the internet. Please recall that not all providers are considered to be a covered entity under HIPAA, and it is not clear whether live video-teleconferencing data qualifies as an electronic transmission (sending) of a "covered transaction".

In any event, Skype (TM) is HIPAA-compliant. According to emails I have received from representatives of The Office of eHealth Standards and Services at the CMS Headquarters in Baltimore, Maryland,

"CMS does not advise on technology specific issues,
because the HIPAA [Privacy] Rule specifically allows for flexibility
in the approach to safeguarding information..."

So there you have it, myth busted. Who can argue that use of Skype's 256-bit encryption technique does not meet HIPAA's intentionally vague requirement that covered entities safeguard the transmission of private health information?

The representatives further communicate that to be absolutely compliant, a covered entity must assemble a Risk Management Plan, documenting its understanding of the risks (i.e. transmission via standard internet lines means potential access to the data at all nodes, and a plan to address them (i.e. sophisticated 264-bit encryption).

In my next entry I will address the issue of the Ryan Haight Act, otherwise known as the Internet Pharmacy Consumer Protection Act of 2008, and its potential impact on home-based telepsychiatry, or lack thereof...