By René Quashie
The issue of whether to use Skype or similar web-based platforms is a vexing one for many healthcare providers. Skype has been used by healthcare providers as a means by which to communicate with patients.
(For purposes of this article, the term “Skype” will be used to include Skype and similar free web-based communication platforms relying on proprietary voice over Internet technology. Note that Skype and similar platforms are proprietary services.)
Telehealth practitioners in particular have used web-based platforms for patient interaction, especially in certain telehealth subspecialties such as psychiatry. And it is easy to see why.
Skype and similar platforms are generally free and familiar to millions worldwide. Many use Skype as a means to keep up with family and friends. Some use Skype to conduct business teleconferencing. It is simple to use and is readily available.
Notwithstanding the fact that Skype is ubiquitous, its use may be inappropriate for health care providers as web-based platforms raise a number of significant HIPAA privacy and security issues:
By way of quick background, HIPAA and its resulting regulations pertaining to privacy and security require covered entities such as healthcare providers to protect the confidentiality of protected health information and guard against unauthorized access, use, and disclosure of such information.
Among other things, the HIPAA rules require:
The use of web-based platforms, especially those that are proprietary, makes it difficult for healthcare entities to meet many of their HIPAA obligations. As a consequence, telehealth providers carry a higher risk of potentially violating HIPAA rules when they use services such as Skype.
And not meeting HIPAA requirements has become more critical than ever given the recent surge in HIPAA enforcement activity. For example, in September 2012, the Department of Health and Human Services Office of Civil Rights (HHS OCR) entered into a $1.5 million dollar settlement with a Massachusetts provider that, among other things, failed to conduct an analysis of the risk to the confidentiality of electronic health information maintained on certain devices.
The Health Information and Trust Alliance and other leading information security organizations generally recommend against the use of Skype and similar platforms for communications involving health information. These organizations have concluded that web-based platforms are not secure, and are an inappropriate way by which to communicate with patients, especially when the communication involves health information. Their view was confirmed late last year when a security flaw was discovered in Skype that put users’ personal information at risk of disclosure.
All of this does not mean a healthcare professional should not use Skype to communicate to patients, only that they be aware of the increased risk of violating HIPAA and think long and hard prior to using such technology. Should a provider insist on using Skype, there are some steps they should consider to better protect themselves from potential HIPAA liability:
These and other steps may not be enough to fully protect a provider from potential HIPAA issues. Thus, to the extent that a provider can use fully encrypted, non web-based, and secure technology, they should do so.
Many companies provide such secure services albeit at a cost. Which brings us back to Skype and why it is particularly attractive both to providers and patients: it is free. But that alone is not enough to warrant its use – the risks are too high.