“Skype is not looking after the privacy of your client data, therefore it shouldn’t be used to communicate about mental health issues.”
Dr. Kate Anthony
Leading world expert in the use of technology for mental health
Fellow of the BACP (British Association for Counselling and Psychotherapy)
Co-Founder of the Online Therapy Institute
“Anyone who uses Skype has consented to the company reading everything they write.”
“Microsoft is reading Skype messages”
“If you opt to use Skype to communicate with patients, be aware of the risk that HIPAA rules may be violated.”
American Psychological Association Practice Central
'Does the use of Skype raise HIPAA compliance issues?'
Written by The Legal and Regulatory Affairs staff at the American Psychological Association (APA) Practice Organisation
“Skype is not a business associate subject to HIPAA nor have we entered into any contractual arrangements with covered entities to create HIPAA compliant privacy and security obligations.”
Authority figures oppose the use of Skype for online therapy.
Practitioners should not be using Skype to conduct therapy or counselling over the internet because it does not meet appropriate data privacy and security standards.
If an organisation is promoting the use of ‘Skype therapy’ then they need to immediately reconsider their practices if they wish to remain credible. Sharing this page with them will help them understand why.
HIPAA compliance is the gold standard of data privacy in the health profession. Skype is not HIPAA compliant.
Skype has publicly stated it is not appropriate for online therapy, and does not wish to be HIPAA compliant.
"PlusGuidance is a HIPAA compliant, highly secure platform for therapists to do online therapy via video call, voice call and instant-messaging with their clients."
Founder & Chief Executive Officer
Because we are so familiar with Skype, we have come to trust it. This is why it is important to evaluate the evidence behind its security and confidentiality, particularly with regards to its role in healthcare.
Skype and other telecommunication platforms are being used by therapists and counsellors (amongst other healthcare practitioners) to carry out treatment at a distance. It is easy to use, readily available, has free and paid services, and connects users to approximately 600 million people worldwide. The reasons behind Skype’s high use are mainly due to it being free for Skype-to-Skype user calls, but the consequences of this are undetermined.
In May 2013, Naked Security published a report titled “Microsoft is reading Skype messages”
and showed that URLs are embedded in a Skype conversation meaning Microsoft has access to an unencrypted form of messages.
Skype and standards
When using Skype:
Skype, as a proprietor, has rights to the data transmitted through it
There is no reliable audit trail
Breaches can go undetected
There is a lack of controls to maintain the integrity of data
There is no way to verify that transmissions are secure
HIPAA compliance legislation has been introduced in America as a set of strict standards that all healthcare providers legally have to comply to. It has become the gold standard of security and privacy for health practices across the world.
Because Skype is not established as a healthcare service provider, it has no agreements or obligations to the therapists and clients that use their site. These agreements are essential to be HIPAA compliant, but more importantly this lack of obligation leaves clients vulnerable to mistreatment and their health information being misused.
Skype is not HIPAA compliant, as a spokesman recently commented:
“Skype is not a business associate subject to HIPAA, nor have we entered into any contractual arrangements with covered entities to create HIPAA compliant privacy and security obligations.” - Harvey Grasty, Skype representative
Why is it important to be HIPAA compliant?
Protected Health Information (PHI) is any information about health and treatment that is linked to a specific individual. HIPAA compliance ensures that the PHI of every individual (under the covered entity) is secure and protected. HIPAA compliance means that PHI is not misused or distributed, and that it remains intact. It ensures PHI is monitored and reviewed and that security measures remain effective.
Some of the measures PlusGuidance takes to be HIPAA compliant include:
Access to data is assigned to staff on a least-needed basis to carry out the role with activity overviewed by an appointed Privacy Officer
Provide education on HIPAA and organisational policies and procedures
Access is monitored to prevent breaches in security
Risks are regularly and systematically reviewed, monitored and amended as appropriate
Data is securely encoded & encrypted
All of our associates have agreements in place to meet our standards of security
Data held on our system is secured physically, technically and administratively
Having protocols for handling privacy-related complaints and actions taken for people who do not follow the directives
The Legal and Regulatory Affairs staff at the American Psychological Association (APA) Practice Organisation also point out the issues related to Skype when considering online therapy:
“Some organizations recommend not using Skype and similar web-based platforms because of concerns related to HIPAA requirements.
The bottom line: If you opt to use Skype to communicate with patients, be aware of the risk that HIPAA rules may be violated.“
In 2014, the APA also released a Resource Document on Telepsychiatry and Related Technologies in Clinical Psychiatry. Should you choose to overview their notes on different online therapy practices, you can download the document
Further limitations of Skype
In addition to the issues of security and privacy, there could be arguments about the feasibility of using Skype in relation to other areas of your practice.
Skype is only a telecommunications tool. You can’t receive payments through Skype and you can’t manage your billings and invoices. This is of utmost importance to have in order to avoid any issues related with tax and insurance.
The standard indemnity insurance used for your in-person practice will likely not cover the work you do on Skype. If your current policy does not cover online work, you could just expand your coverage. But there is an issue: many insurance providers will not cover Skype therapy. Generally, if your insurance company hasn’t traditionally covered telephone services, they will most likely not pay for Skype sessions and any other non-
HIPAA-compliant video online service.