Skype HIPAA Risks Not Given Enough Attention

At this point, I don’t imagine too many providers use Skype to communicate with patients, if for no other reason than I haven’t heard my wired physician friends mention it.

But even if the numbers are small, it seems we may not have been paying enough attention to services like Skype, whose security may be good enough for personal conversation, but not for patient communication.

A recent item on a legal blog offers a reminder that Skype — and other Web-based communications platforms — pose security risks that may compromise a provider’s ability to comply with HIPAA.

Why should providers be concerned about using Skype and its kin to conduct free videoconferences with patients?  Well, a quick look at the security requirements HIPAA imposes, as cited by Epstein Becker Green attorney Rene Quashie, offers an idea:

  • Access controls.
  • Audit controls.
  • Person or entity authentication.
  • Transmission security.
  • Business Associate access controls.
  • Risk analysis.
  • Workstation security.
  • Device and media controls.
  • Security management processes.
  • Breach notification.

I have no in-depth knowledge of the Skype infrastructure, but my guess is that it fails most of the tests above.  And given that it’s a proprietary platform, it’s not as though hospitals or medical practices can build these controls onto Skype with any ease.

However, Mr. Quashie does offer a series of procedures to help mitigate the risks associates with Skype and its relatives:

  • Request audit, breach notification, and other information from web vendors.
  • Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms.
  • Develop specific procedures regarding the use of Skype and similar platforms (interrupted transmissions, backups, etc.).
  • Train workforce regarding the privacy and security risks associated with these platforms.
  • Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV).
  • Limit to certain clinical uses (i.e., only intake or follow up).

All of that being said, this clearly suggests the need for HIPAA-compliant videoconferencing services via the Web. And while they may exist, I’m certainly not aware of any market leaders. Your turn, readers?  Do you agree that there’s a need for such services?  Do any exist already that have traction in the arena?

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.


  • I agree with the problems outlined above, and people may argue whether or not a BAA would be required, but the odds of a company like Skype signing 10s of thousands of BAA’s with individual providers are probably somewhere between zero and LOL.

  • I’d like to see a secure next-generation communication platform that is Open, such that everyone could use it, which is based on strong crypto and third-party trust. The platform that I envision is a peer-to-peer solution to cut out surveillance or snooping, with key or certificate based authentication. It could rely on cloud based services for key distribution, user presence, and providing third party trust, but no communication should be proxied through external servers.

    Unfortunately today this technology is not widely accessible. Because we can’t rely on our end users (doctors and patients) having direct connections to the internet, it’s hard to use P2P technology. This is why skype works so well, it abstracts away the problem of establishing a link between disparate internet users.

    This has been said before, but the Internet was not designed with security in mind. If we want to leverage true security and accountability, then a rethink of the Internet is required (and ostensibly underway with IPv6). Ultimately we could create the next open internet communication system on top of IPv6. I’d like to see it positioned how email is today in terms of adoption and universality, but by using strong asymmetric encryption, requiring digital signatures, etc. If we could cut out most of the middlemen proxies in the process too, that’d be a boon for privacy. Perhaps something like this exists already, I’d be stoked to hear about it (especially if it’s open source).

  • HIPPA is the problem that needs to be reengineered as it has been and clearly continues to be compromising the well-being of all of us.

  • Yes, and don’t forget email/Twitter/Facebook/texting is “good enough for personal conversation, but not for patient communication”.

    Re-engineer HIPAA?

    HIPAA is data security.

    HIPAA is not ridiculous or crazy, but it is painful for small practices to understand…yet not difficult to comply with.

    The real problem with a “Skype” solution is it waters down the service a patient gets.

    When I was in the military, for about the first 5 years our annual physical was a solid, in depth physical. By the time I left, you only had a “real” physical every 3 years. The 2 years in between you had a 5 minute Q & A.
    That’s where this is headed if we are not careful.

    Additionally…FREE video conferencing??
    Why would docs want to do this for free?

    They are already squeezed where they don’t spend enough quality time with patients in person, now we expect free video conferencing?

Click here to post a comment