You are constantly looking for ways to better serve your patients. From new telehealth solutions to online technologies so providers can better connect and engage with patients. But are these tools, and how they use and control patient data, PHIPA or HIPAA compliant? 

Many of the tools most commonly used by practitioners today such as Skype or Google Hangouts are not healthcare compliant. The Personal Health Information Privacy Act (PHIPA) in Canada and Health Insurance Portability and Accountability Act (HIPAA) in the US require a certain level of encryption and a designed set of procedures for handling data by technology providers in healthcare applications. However, by using telehealth services such as Skype, providers may be putting their patients’ confidentiality and practice at risk. While these tools may help providers increase satisfaction, create accessible healthcare options, and improve continuity of care overall, the lack of security they provide comes at a cost. This consequence is primarily because of something called end-to-end encryption (E2E encryption).

Skype states that it uses complete encryption, meaning communications are encrypted by one user and decrypted only when they reach the designated receiver. However, there have been several reports by independent privacy and security researchers indicating this is not the case. Skype’s privacy policy clearly states that it may use automated scanning to identify spam and links to sites engaged in phishing and fraud, but many researchers have reported having links opened that do nothing of the sort.

Unlike other secure messaging solutions, chat transcripts and records of communications from Skype sessions are retained on Microsoft servers after a session is completed. While the content of the session isn’t recorded, the data surrounding the fact that communication occurred between two people is. In healthcare, where there is already high stigma around use of certain healthcare services, these metadata exposure points may put patient information at risk. 

Similarly, Google has publicly admitted that Hangouts does not use E2E encryption, meaning the company itself can tap into sessions if and when it receives a government order to do so. Google Hangouts is particularly challenging because it was developed as a social networking platform, so depending on a patient’s privacy settings, it may even notify their social network that they just had a call with you. This type of error can occur frequently for users new to the platform.

While video messaging tools such as Skype and Google Hangouts can enable the development of strong relationships between providers and clients, they pose a significant privacy risk particularly in the field of mental health. To continue engaging patients before, during, and after a virtual appointment, providers may consider exploring solutions that offer secure video and messaging with strong 256-bit end-to-end encryption. You can read more about this type of security in our playbook for building a virtual care program. Healthcare leaders can also perform a virtual care vendor security assessment to rate their vendor’s level of safety and security. A Telehealth Privacy and Security Self-Assessment Questionnaire was published by the US National Library of Medicine National Institutes of Health in 2019, which asks enterprises to respond to 49 statements about their virtual care vendor.

Some questions include:

Are the privacy and security policies and procedures kept current to meet federal and multi-state regulations?; and, Is the patient’s or representative’s informed consent obtained before the PHIPA/HIPAA compliant telehealth session begins?; Prior to choosing a virtual care vendor, enterprises should consider all the security and privacy standards in place to ensure both them and their patients are protected at all times.