Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Skype HIPAA Risks Not Given Enough Attention

Posted on December 5, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

At this point, I don’t imagine too many providers use Skype to communicate with patients, if for no other reason than I haven’t heard my wired physician friends mention it.

But even if the numbers are small, it seems we may not have been paying enough attention to services like Skype, whose security may be good enough for personal conversation, but not for patient communication.

A recent item on a legal blog offers a reminder that Skype — and other Web-based communications platforms — pose security risks that may compromise a provider’s ability to comply with HIPAA.

Why should providers be concerned about using Skype and its kin to conduct free videoconferences with patients?  Well, a quick look at the security requirements HIPAA imposes, as cited by Epstein Becker Green attorney Rene Quashie, offers an idea:

  • Access controls.
  • Audit controls.
  • Person or entity authentication.
  • Transmission security.
  • Business Associate access controls.
  • Risk analysis.
  • Workstation security.
  • Device and media controls.
  • Security management processes.
  • Breach notification.

I have no in-depth knowledge of the Skype infrastructure, but my guess is that it fails most of the tests above.  And given that it’s a proprietary platform, it’s not as though hospitals or medical practices can build these controls onto Skype with any ease.

However, Mr. Quashie does offer a series of procedures to help mitigate the risks associates with Skype and its relatives:

  • Request audit, breach notification, and other information from web vendors.
  • Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms.
  • Develop specific procedures regarding the use of Skype and similar platforms (interrupted transmissions, backups, etc.).
  • Train workforce regarding the privacy and security risks associated with these platforms.
  • Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV).
  • Limit to certain clinical uses (i.e., only intake or follow up).

All of that being said, this clearly suggests the need for HIPAA-compliant videoconferencing services via the Web. And while they may exist, I’m certainly not aware of any market leaders. Your turn, readers?  Do you agree that there’s a need for such services?  Do any exist already that have traction in the arena?

FDA Mobile Health App Monitoring Could Be Delayed Until 2013

Posted on June 1, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

There have been a few posts over the last couple months concerning the FDA potentially monitoring medical apps. Some think it’s a great idea, others, not so much. Well, the latest news has arrived: It is potentially being delayed until 2013.

The reason for the delay? Iowa Senator Tom Harkin recently proposed a bill (S.3187) that, if passed, would require the FDA To provide a  “full-scale report to Congress on its plans for regulating mobile medical apps.” In addition, Senate would have to give its sign off before the FDA could even finalize its mobile apps guidance.

If passed, the FDA would have 18 months to finalize this report, which would take a lot of effort to get it completed.

This has caused a bit of an uproar among different people. Bradley Thompson, an FDA-expert for the Epstein Becker Green law firm said he hopes this doesn’t happen. According to the Fierce Mobile Healthcare article, “he and other proponents are ‘actively talking with Senate Staff’ about the FDA’s timeline, and pushing for the guidance ‘not to be held up.’ With the pace the market is growing and changing, healthcare providers, app developers and other need clarity now on what the FDA expects, and what the regulatory process will be—not in late 2013.”

To me, it seems like if this bill is passed, the mHealth market growth might be hindered. I mean, are the developers of mHealth technology going to want to put a ton of effort into creating different products, when there is a possibility that it may not be in-line with FDA guidelines a year later? I don’t think so. While I am still not sure how I even feel about the FDA monitoring mobile health apps, if it’s going to happen, I’d rather it occur in whatever fashion will be most beneficial for developers. The article I mentioned above says that “it will be interesting to see if it turns into a partisan battle on Capitol Hill.” That it will.