" telemedicine Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Posts Tagged ‘telemedicine’

Is Skype HIPAA Compliant? If not, what is?

Saturday, May 9th, 2020

Doctor using Skype for telehealth

In recent times we have seen a huge push toward telehealth, so many are wondering, “Is Skype HIPAA compliant?” While Skype is a practical tool that many people have access to, it’s important to consider any regulatory obligations you need to meet before you use it.

If your business collects, stores, transmits or processes electronic protected health information (ePHI), then it is subject to HIPAA regulations. Organizations that process ePHI on behalf of other parties also need to stick within the rules, otherwise they may face heavy fines.

Regardless of whether your organization provides health services through video or it uses video platforms to process ePHI in any other way, it needs to make sure it is using software that abides by the regulations.

Wondering, “Is Skype HIPAA compliant?” is a good starting point, but there are several things to consider before you commit to a video conferencing service.

Do You Need a BAA to Make Skype HIPAA Compliant?

A business associates agreement (BAA) is a contract between your organization and any others that process its data. In essence, these agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the two parties.

BAAs are absolutely necessary for HIPAA compliance. Even if your organization and its partner share ePHI with every control and security mechanism imaginable, as well as following all other aspects of the regulations, it would still be violating HIPAA if a signed BAA was not in place.

If your organization is going to be sharing ePHI over a video service, then it needs to be HIPAA-compliant.* However, the only way that it can be HIPAA compliant is if a BAA is in place.

Is Only the Business Version of Skype HIPAA Compliant?

Skype comes in several different versions, but the basic, consumer oriented one is not HIPAA compliant. The only type that offers BAAs and which could be made HIPAA compliant is Skype for Business, which is one of Microsoft Office’s business communication tools.  Note that “Skype for Business” is a completely different service than consumer Skype. 

However, it’s also worth noting that Skype for Business is currently being phased out in favor of Microsoft Teams. If you don’t already have a supported version of Skype for Business, you should look for HIPAA-compliant alternatives instead. Support for Skype for Business Online ends in 2021, while support for Skype for Business Server will be extended until 2025.

With this in mind, it’s probably not worthwhile pursuing any version of Skype for HIPAA compliance. If you use the basic version of Skype, you will be violating the regulations, and even if you can get Microsoft to sign a Skype for Business BAA, you may have to switch your software in 2021 anyway.

HIPAA-Compliant Alternatives to Skype

Considering that Skype for Business doesn’t have much time left and that it is not even the same as “regular Skype,” your organization will be better off finding a HIPAA-compliant alternative. One option is LuxSci’s SecureVideo, which was designed specifically to make it easy to stay within the regulations.

SecureVideo was developed from the ground up with HIPAA compliance in mind, ensuring that it became a practical video calling service that made security and compliance simple. The Zoom for Healthcare-based platform is great for telemedicine and other forms of sharing ePHI.

SecureVideo includes handy features like screen-sharing, file-sharing and virtual clinics, with a capacity of up to 100 participants. This makes LuxSci’s SecureVideo a convenient and compliant alternative to Skype.

 

* During the Covid-19 pandemic, HHS has waived responsibility for breaches through non-compliant video conferencing services, like Skype.  So, while Skype may not be compliant, it is OK to use during the pandemic.  However, as the pandemic subsides and this waiver is lifted, you should have transitioned to a service that is actually HIPAA compliant.

The Different Types of Telehealth & How to Stay HIPAA-compliant

Thursday, October 17th, 2019

When many people think of telehealth, they tend to focus on remote medical care. Telehealth is actually a much broader field that includes these health services, but also stretches to healthcare prevention, advice, education, reminders, monitoring, and more.

Since telehealth encompasses so much, it’s important to examine how HIPAA regulations can be applied to each of these aspects.

Remote Health Care

Remote health care, also known as telemedicine, involves providing medical services through video calls and other technologies. It can help to provide care in rural communities and eliminate travel times for healthcare practitioners, which increases efficiency.

HIPAA regulations apply to all telemedicine because its very nature involves recording and processing electronic protected health information (ePHI). Because of this, every communication channel that is used for telemedicine needs to be HIPAA-compliant, whether it is for video calls, voice calls, email or other means.

These channels need to be encrypted to prevent attackers from intercepting ePHI, and access control needs to be in place so that only authorized persons can access the data. There are a number of other safeguards that should also be used, but these depend on the communication channel.

Monitoring

In-home monitoring has become more common in recent years, because it allows healthcare practitioners to keep an eye on patients while they are in the comfort of their own homes.

This can have several benefits, such as allowing patients to be released from hospital early, limiting the number of times that patients need to visit medical professionals for checkups, or reducing how frequently healthcare practitioners need to make visits to a patient’s home.

Despite these advantages, there are also a number of privacy issues. Remote monitoring can involve a range of different devices in the patient’s home, such as connected scales, blood pressure monitors, glucose monitors and heart rate monitors.

This data needs to be transmitted back to the healthcare professionals, which means that the very nature of the process creates and transmits ePHI. To protect this data, safeguards need to be in place at each step. These measures can include access control, encryption and more.

Healthcare Prevention, Advice & Education

Whether or not these services are regulated by HIPAA will depend on their content and focus. If protective measures are required, then the appropriate safeguards will vary according to how the message is delivered.

The first step is to determine whether any potential healthcare prevention, advice or education contains ePHI. This will depend on the circumstances. If a doctor’s secretary emails all of its patients about getting a flu shot ahead of winter, this is not regarded as ePHI, because it does not specify any patient’s health condition, treatment or payment details (unless being on this mailing list identifies you as a patient of this doctor and that implies something about your medical history….).

Things become murkier if the same secretary sends out an email about depression treatments to those patients who suffer from the illness. Since this is targeted to a specific group of people who have the condition, it could be seen as revealing details about their health.

It’s a bit of a gray area, so if your organization finds itself in this position, it’s best to stay on the safe side and protect the information as if it were ePHI. If the prevention, advice or education does include ePHI, then protective measures such as encryption need to be in place.

Reminders

If your organization sends reminders out to its patients, it needs to be wary of whether these contain ePHI. They can be helpful for reminding patients about upcoming appointments, to take their medication, or to refill prescriptions, but your organization needs to be careful about their content and how they are sent.

If any of your organization’s reminders contain ePHI (and such reminders almost always do), then it needs to make sure that they are only sent over secure, HIPAA-compliant channels.

Delivering Telehealth Securely & within HIPAA Regulations

Telehealth can be beneficial for both healthcare providers and patients. If your organization offers these services, it’s important to take security and HIPAA regulations into account, otherwise, it could face a serious data breach or HIPAA penalties.

Keep your business and your patients safe by using a HIPAA-compliant provider like LuxSci. It has almost 20 years of experience and offers a range of telehealth services, such as video calls, voice calls, secure chat and more.

LUXSCI