Are Your Online Tools PHIPA and HIPAA Compliant?

Jul 02, 2019

You are constantly looking for ways to better serve your clients. From new administrative solutions to new online technologies to better connect and engage with your clients, you are constantly improving your care delivery. But are these tools really helping you?

Many of the tools most commonly used by practitioners today such as Skype or Google Hangouts are not compliant. The Personal Health Information Privacy Act (PHIPA) in Canada and Health Insurance Portability and Accountability Act (HIPAA) in the US require a certain level of encryption and designed set of procedures for handling data by technology providers in healthcare applications. However, by using Skype, you could be putting your clients’ confidentiality and your practice at risk because this is not always the case. While these tools can help you increase satisfaction and continuity, it is at cost to you and your clients’ privacy and this is primarily because of something called end-to-end encryption (E2E encryption).

End-to-End Encryption
Skype states that it uses complete encryption meaning communications are encrypted by one user and decrypted only when they reach the designated receiver. However, there have been several reports by independent privacy and security researchers indicating that this is not the case. Skype’s privacy policy clearly states that it may use automated scanning to identify spam and links to sites engaged in phishing and fraud but many researchers have reported having links opened that do nothing of the sort.

Unlike other secure messaging solutions, chat transcripts and records of communications from Skype sessions are retained on Microsoft servers after a session has been completed. While the content of the session isn’t recorded, the data surrounding the fact that communication occurred between two people is. In a field where there is already high stigma around use of mental health services, these metadata exposure points can put client information at risk and potentially reduce their likelihood to continue their mental health treatment.

Similarly, Google has publicly admitted that Hangouts does not use E2E encryption, meaning the company itself can tap into sessions if and when it receives a government order to do so. Google Hangouts is particularly challenging because it was developed to be a social interaction so depending on your clients’ privacy settings, it may even notify their social network that they just had a call with you. This type of error can occur frequently for users new to the platform.

While video messaging tools such as Skype and Google Hangouts can enable the development of strong relationships between providers and clients, they pose a significant privacy risk particularly in the field of mental health. To continue engaging your clients through and between appointments virtually, explore solutions that offer secure video and messaging with strong 256-bit end-to-end encryption. If you are new to virtual care, get started with these 8 ways to incorporate virtual care into your practice. OnCall Health has been a North American leader in providing strong, secure telemedicine options for providers across Canada and the US.

Topics: Using Virtual Care