Skype HIPAA Risks Not Given Enough Attention

At this point, I don’t imagine too many providers use Skype to communicate with patients, if for no other reason than I haven’t heard my wired physician friends mention it.

But even if the numbers are small, it seems we may not have been paying enough attention to services like Skype, whose security may be good enough for personal conversation, but not for patient communication.

A recent item on a legal blog offers a reminder that Skype — and other Web-based communications platforms — pose security risks that may compromise a provider’s ability to comply with HIPAA.

Why should providers be concerned about using Skype and its kin to conduct free videoconferences with patients?  Well, a quick look at the security requirements HIPAA imposes, as cited by Epstein Becker Green attorney Rene Quashie, offers an idea:

  • Access controls.
  • Audit controls.
  • Person or entity authentication.
  • Transmission security.
  • Business Associate access controls.
  • Risk analysis.
  • Workstation security.
  • Device and media controls.
  • Security management processes.
  • Breach notification.

I have no in-depth knowledge of the Skype infrastructure, but my guess is that it fails most of the tests above.  And given that it’s a proprietary platform, it’s not as though hospitals or medical practices can build these controls onto Skype with any ease.

However, Mr. Quashie does offer a series of procedures to help mitigate the risks associates with Skype and its relatives:

  • Request audit, breach notification, and other information from web vendors.
  • Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms.
  • Develop specific procedures regarding the use of Skype and similar platforms (interrupted transmissions, backups, etc.).
  • Train workforce regarding the privacy and security risks associated with these platforms.
  • Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV).
  • Limit to certain clinical uses (i.e., only intake or follow up).

All of that being said, this clearly suggests the need for HIPAA-compliant videoconferencing services via the Web. And while they may exist, I’m certainly not aware of any market leaders. Your turn, readers?  Do you agree that there’s a need for such services?  Do any exist already that have traction in the arena?