As digital technology becomes more widely available, it seems to infiltrate every aspect of our lives. From ordering food to paying bills, anything can be done through an app, including connecting with your patients. That ability to connect easily and quickly with your patients can be a lifesaver, especially when you’re already overwhelmed by your patient load.
But when it comes to practicing medicine, you need to use the right app. While it’s great that more physicians are comfortable using technology like Skype, video chat apps weren’t designed for telehealth purposes — that means they weren't created to be HIPAA compliant video conferencing platforms and could potentially expose patient health information. As Ian Morris reports for Forbes, "According to figures from 2013, Skype is now used by 300 million people worldwide." These high user numbers mean Skype is a valuable, high-profile target for information thieves.
So how exactly does Skype fare when we look at HIPAA compliant video conferencing requirements? Here’s a quick summary.
HIPAA guidelines require that any software transmitting protected personal health information meet a 128-bit level of encryption, at a minimum. While Skype does meet this requirement with 256-bit encryption that doesn't automatically mean the software is automatically HIPAA compliant.
Business Associate Agreement
In order to comply with the HIPAA Omnibus Rule, Skype would need to enter into a business associate agreement (BAA) with any health provider concerned about HIPAA compliant video conferencing. Since Skype wasn't designed specifically for healthcare purposes, however, it doesn't sign BAAs. Skype doesn't meet criteria for BAA exemption, either as the software transmits more than protected health information.
Documented Security Breaches
Though the company claims it has no access to the information it transmits, Skype has been used to gather data for law enforcement, so there's a possibility that the company could access the encryption key. That means people outside your practice could too. In fact, Skype has received criticism for faults in encryption and other security measures.
In early 2014, security at Skype was called into question when the company's blog and social media accounts were hacked by an outside group. Though no user records were compromised in the attack, indicators suggest it was enabled by a fairly simple phishing scheme.
Experts have pointed out that Skype has a disturbing history of small holes that could lead to data breaches, leak chat conversations or reveal the locations of users. For normal Skype users, this can lead to hacking of basic information. If using Skype in your medical practice, however, you risk compromising serious amounts of personal health information.
When it comes to HIPAA-compliant telehealth, Skype is definitely out of the picture.
And this leads back to the bottom line: Skype isn't engineered for telemedicine use. HIPAA exists to serve patients. Your patients deserve control over their health information, but they should have security, too. Using HIPAA compliant video conferencing technology is one step toward that. Don't put yourself in line for a security breach by using a free software like Skype, or you could face negligence charges and crushing fines.
Instead, seek out telemedicine software that meets HIPAA standards, and invest in your practice.