Is Skype HIPAA Compliant?

Text messaging platforms such as Skype are a convenient way of quickly communicating information, but is Skype HIPAA compliant? Can Skype be used to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rules?

There is currently some debate surrounding Skype and HIPAA compliance. Skype includes security features to prevent unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype satisfy all requirements of HIPAA Rules?

This article will attempt to answer the question, Is Skype HIPAA compliant?

Is Skype a Business Associate?

Is Skype a HIPAA business associate? That is a matter that has been much debated. Skype could be considered an exception under the Conduit Rule – being merely a conduit through which information flows. If that is the case, a business associate agreement would not be necessary.

However, a business associate agreement is necessary if a vendor creates, receives, maintains, or transmits ePHI on behalf of a HIPAA-covered entity or one of its business associates. Skype does not create PHI, but it does ‘receive’ and transmit PHI. That said, messages are encrypted and are not accessed by Microsoft.  But can Microsoft access the contents of messages? Does Microsoft hold a key to unlock the encryption?

Microsoft does comply with law enforcement requests and will supply information to law enforcement. Information is only disclosed when required to so do by law, if a subpoena or court order is issued for example.

For that to happen, data must first be decrypted. It is unclear whether providing information to law enforcement, and being able to decrypt messages, would mean Skype would satisfy the requirements of the conduit exception. Skype is also not a common carrier, it is software-as-service. While this has been debated, it is our opinion that Skype is classed as a business associate and a business associate agreement is required.

Microsoft will sign a HIPAA-compliant business associate agreement with covered entities for Office 365, and Skype for Business MAY be included in that agreement. If a business associate agreement has been obtained from Microsoft, covered entities must check it carefully to make sure if it does include Skype for Business. Microsoft has previously explained that not all BAAs are the same.

Skype and HIPAA Compliance: Encryption, Access, and Audit Controls

HIPAA does not demand the use of encryption for ePHI, although encryption must be considered. If encryption is not used, an alternative, equivalent safeguard must be implemented in its place. In the case of Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is satisfied.

However, Skype does not necessarily include appropriate controls for backing up of messages (and ePHI) communicated via the platform, and neither does it maintain a HIPAA-compliant audit trail. Skype for Business can be made HIPAA compliant, if the Enterprise E3 or E5 package is purchased. These include the ability to create an archive that stores all communications. Other versions would not satisfy HIPAA Rules.

Is Skype HIPAA Compliant?

So, is Skype HIPAA compliant? No. Is Skype for Business HIPAA compliant? It can be, if the Enterprise E3 or E5 package is purchased and the automatic log-off feature is enabled. In the case of the latter, it is down to the covered entity to ensure Skype is HIPAA compliant. That means a business associate agreement must be obtained from Microsoft prior to using Skype for Business to send any ePHI. Skype must also be configured carefully. In order to be HIPAA compliant Skype must maintain an audit trail and all messages must be backed up securely and all communications saved.

Access controls must also be applied on all devices that use Skype to prevent unauthorized disclosures of ePHI. Controls must also be set to prevent any ePHI from being sent outside the organization. Covered entities must also receive satisfactory assurances that in the event of a breach, they will be notified by Microsoft.

Even with a BAA and the correct package, there is still considerable potential for HIPAA Rules to be violated using Skype for Business. Since there are many secure text messaging options available to covered entities, including platforms that have been built specifically for use by the healthcare industry, they may prove to be a better choice. With those platforms, HIPAA compliance is made much more straightforward and it is far harder to accidentally violate HIPAA Rules.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.