Skype and similar web-based platforms are increasingly becoming a way for many for physicians and other health care practitioners to communicate and interact with patients at a distance. Many telehealth practitioners in particular use web-based platforms for the delivery of care and communications with patients—especially in certain telehealth subspecialties such as telepsychiatry. The reasons are clear. Skype is essentially free—there is no charge for making calls to other Skype users, although there are fees for making calls to mobile and landline telephones. Skype is also ubiquitous. Skype alone is estimated to have approximately 600 million users worldwide, and its many users rely on Skype to communicate with professional associates, family, and friends. These figures do not even take into account users of other platforms that are proving popular with consumers and professionals alike. In other words, web-based platforms are easy to use and readily available.
Nevertheless, the issue of whether to use Skype or similar web-based platforms is a vexing one for many health care providers. Notwithstanding the fact that Skype is ubiquitous, its use may be inappropriate for health care providers as communication and treatment via web-based platforms raise a number of significant HIPAA privacy and security issues:
• Many platforms are proprietary, meaning that health care providers have no way to determine if and what information is stored.
• Users cannot reliably develop and verify an audit trail.
• There is no reliable way to verify transmission security.
• Users have no way to know when a breach of information occurs.
• There is a lack of integrity controls to ensure that electronic protected health information is not altered.
By way of quick background, the Health Insurance and Portability Act and its resulting regulations pertaining to privacy and security (“HIPAA”) require covered entities, such as health care providers, to protect the confidentiality of protected health information, and guard against unauthorized access, use, and disclosure of such information. Among other things, HIPAA rules require (or make addressable):
• Access controls – implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access.
This article first appeared in the Spring 2013 issue of TILT Magazine ~ Therapeutic Innovations in Light of Technology.
Click here to read the entire PDF version of the Skype & HIPAA: The Vexing Question article.
Rene Quashie is Senior Counsel in the Washington D.C. office of Epstein Becker and Green where he focuses on health care regulatory matters and health care policy. He is also a member of the Legal Resource Team at the Center for Telehealth and eHealth Law.
Access TILT Magazine archives: http://issuu.com/onlinetherapyinstitute/docs