Home
Share |

Skype & HIPAA: Dream or Nightmare?

Article |

By René Quashie

The issue of whether to use Skype or similar web-based platforms is a vexing one for many healthcare providers. Skype has been used by healthcare providers as a means by which to communicate with patients.

(For purposes of this article, the term “Skype” will be used to include Skype and similar free web-based communication platforms relying on proprietary voice over Internet technology. Note that Skype and similar platforms are proprietary services.)

Telehealth practitioners in particular have used web-based platforms for patient interaction, especially in certain telehealth subspecialties such as psychiatry. And it is easy to see why. 

Skype and similar platforms are generally free and familiar to millions worldwide. Many use Skype as a means to keep up with family and friends. Some use Skype to conduct business teleconferencing. It is simple to use and is readily available. 

Notwithstanding the fact that Skype is ubiquitous, its use may be inappropriate for health care providers as web-based platforms raise a number of significant HIPAA privacy and security issues:
 

  • Many platforms are proprietary meaning that health care providers have no way to determine if and what information is stored 
  • Users cannot reliably develop and verify an audit trail
  • There is no reliable way to verify transmission security
  • Users have no way to know when a breach of information occurs
  • There is a lack of integrity controls to ensure that electronic protected health information is not altered

 
By way of quick background, HIPAA and its resulting regulations pertaining to privacy and security require covered entities such as healthcare providers to protect the confidentiality of protected health information and guard against unauthorized access, use, and disclosure of such information.

Among other things, the HIPAA rules require:
      

  • Access controls  
  • Audit controls  
  • Person or entity authentication 
  • Transmission security 
  • Business Associate access controls
  • Risk analysis
  • Workstation security
  • Device and media controls
  • Security management process
  • Breach notification

 
The use of web-based platforms, especially those that are proprietary, makes it difficult for healthcare entities to meet many of their HIPAA obligations. As a consequence, telehealth providers carry a higher risk of potentially violating HIPAA rules when they use services such as Skype. 

And not meeting HIPAA requirements has become more critical than ever given the recent surge in HIPAA enforcement activity. For example, in September 2012, the Department of Health and Human Services Office of Civil Rights (HHS OCR) entered into a $1.5 million dollar settlement with a Massachusetts provider that, among other things, failed to conduct an analysis of the risk to the confidentiality of electronic health information maintained on certain devices. 

The Health Information and Trust Alliance and other leading information security organizations generally recommend against the use of Skype and similar platforms for communications involving health information. These organizations have concluded that web-based platforms are not secure, and are an inappropriate way by which to communicate with patients, especially when the communication involves health information. Their view was confirmed late last year when a security flaw was discovered in Skype that put users’ personal information at risk of disclosure.

All of this does not mean a healthcare professional should not use Skype to communicate to patients, only that they be aware of the increased risk of violating HIPAA and think long and hard prior to using such technology. Should a provider insist on using Skype, there are some steps they should consider to better protect themselves from potential HIPAA liability:
  

  • Request audit, breach notification, and other information from companies
  • Have patients sign HIPAA authorization and a separate informed consent as part of intake procedures when using web-based platforms
  • Develop specific procedures and protocols regarding use of Skype, similar platforms (interrupted transmissions, backups, etc.)
  • Formally train workforce on the use of these platforms
  • Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV)
  • Limit to certain clinical uses (i.e., only intake or follow up)
  • Use secure platforms with audit trail, breach notification, other capabilities.  

 
These and other steps may not be enough to fully protect a provider from potential HIPAA issues. Thus, to the extent that a provider can use fully encrypted, non web-based, and secure technology, they should do so.
Many companies provide such secure services albeit at a cost.  Which brings us back to Skype and why it is particularly attractive both to providers and patients: it is free.  But that alone is not enough to warrant its use – the risks are too high.
 

Related Terms:
Data Security
Mobile Communications
Hardware (Computers, Phone Systems)
Social Media
Technology