Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Skype HIPAA Risks Not Given Enough Attention

Posted on December 5, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

At this point, I don’t imagine too many providers use Skype to communicate with patients, if for no other reason than I haven’t heard my wired physician friends mention it.

But even if the numbers are small, it seems we may not have been paying enough attention to services like Skype, whose security may be good enough for personal conversation, but not for patient communication.

A recent item on a legal blog offers a reminder that Skype — and other Web-based communications platforms — pose security risks that may compromise a provider’s ability to comply with HIPAA.

Why should providers be concerned about using Skype and its kin to conduct free videoconferences with patients?  Well, a quick look at the security requirements HIPAA imposes, as cited by Epstein Becker Green attorney Rene Quashie, offers an idea:

  • Access controls.
  • Audit controls.
  • Person or entity authentication.
  • Transmission security.
  • Business Associate access controls.
  • Risk analysis.
  • Workstation security.
  • Device and media controls.
  • Security management processes.
  • Breach notification.

I have no in-depth knowledge of the Skype infrastructure, but my guess is that it fails most of the tests above.  And given that it’s a proprietary platform, it’s not as though hospitals or medical practices can build these controls onto Skype with any ease.

However, Mr. Quashie does offer a series of procedures to help mitigate the risks associates with Skype and its relatives:

  • Request audit, breach notification, and other information from web vendors.
  • Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms.
  • Develop specific procedures regarding the use of Skype and similar platforms (interrupted transmissions, backups, etc.).
  • Train workforce regarding the privacy and security risks associated with these platforms.
  • Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV).
  • Limit to certain clinical uses (i.e., only intake or follow up).

All of that being said, this clearly suggests the need for HIPAA-compliant videoconferencing services via the Web. And while they may exist, I’m certainly not aware of any market leaders. Your turn, readers?  Do you agree that there’s a need for such services?  Do any exist already that have traction in the arena?

A Fully Integrated Medication Process With Cerner

Posted on I Written By

Together Cerner is removing the administrative burdens and automating processes to improve clinical efficiency and accuracy to deliver better outcomes.
• Implement an integrated medication process, from ordering to administration
• Improve interoperability by working with medical device manufacturers and strategic suppliers that support your medication process
• Shape the future of medication logistics and point-of-care delivery



Watch the video.