These days, video-call platforms are a dime a dozen.
But, the one with the lion’s share of name recognition — the one that has become synonymous with online video communication — is, undeniably, Skype. And as psychology tells us, people tend to develop preferences based on familiarity — which means they may be more comfortable using Skype than any other video calling application.
That creates a bit of a conundrum for healthcare providers looking to deliver services via videoconferencing, because while patients may prefer to consult with their physicians using a program with which they are already familiar, doctors are legally obligated to uphold all provisions of the Health Insurance Portability and Accountability Act (HIPAA).
Unfortunately — and unsurprisingly (this is healthcare law, after all) — there seems to be a lot of confusion as to whether Skype checks all the right HIPAA-compliance boxes. And while I always recommend that providers consult with a healthcare law attorney prior to making any HIPAA-related judgment calls, here’s what I can tell you:
Microsoft has a business associate agreement (BAA) for HIPAA compliance purposes.
Per HIPAA, covered entities — including physicians — must enter into special contracts with external business associates that may handle, or be exposed to, protected health information (PHI). These contracts — called business associate agreements (BAAs for short) — set forth all the provisions for each party’s adherence to HIPAA requirements.
Skype’s parent company, Microsoft, offers a BAA — and according to this page, “Once a BAA is in place, Microsoft customers — covered entities — can use its services to process and store PHI.”
But, Skype may not be covered by that BAA.
As explained here, Skype is part of Office 365 Online, which technically means it meets the standards for HIPAA compliance “as long as you have ‘Skype for Business’ and the signed BAA with Microsoft.” Of course, most consumers — patients included — use the free version of Skype, which does not fall under the umbrella of BAA coverage.
Either way, Skype has some serious security vulnerabilities.
The above-cited article goes on to warn that “Skype lacks many controls and features that are actually required for an organization to be compliant, such as access auditing, backups, and breach reporting.”
So, while the extent to which the application is covered under Microsoft’s BAA is unclear, the whole BAA discussion is essentially moot, because the program’s technological architecture doesn’t meet HIPAA standards anyway.
“Experts have pointed out that Skype has a disturbing history of small holes that could lead to data breaches, leak chat conversations or reveal the locations of users,” contributor Hattie Hayes explains in this blog post. “If using Skype in your medical practice … you risk compromising serious amounts of personal health information.”
Thus, physicians and other covered entities are better off using video-call technology built specifically for healthcare providers.
In this case, the old saying, “better safe than sorry” definitely applies: after all, HIPAA violations come with a pretty hefty price tag. So, save Skype for chatting with your Canadian cousins or checking in with your pets while you’re on vacation.
When it comes to providing professional telehealth services, partner with a healthcare-focused platform that has HIPAA on lock. Your patients will thank you — even if they don’t immediately recognize the name.