Is Skype HIPAA Compliant?

by

Skype is not HIPAA compliant for routine use of protected health information in its consumer form, while Skype for Business can be used in a HIPAA compliant manner when it is included under a signed Business Associate Agreement with Microsoft and is deployed on qualifying Microsoft 365 or Office 365 plans with configuration that supports HIPAA Security Rule safeguards.

Product Scope And Business Associate Agreement Requirements

HIPAA compliance depends on whether the communication service is used in a way that makes the vendor a Business Associate and whether the required written assurances are in place. Using Skype for Business for electronic protected health information requires an executed Business Associate Agreement with Microsoft that covers the applicable services. Organizations must verify that the agreement includes the specific Skype for Business service in use.

Safeguards Required For Electronic Protected Health Information

Encryption of messages supports confidentiality during transmission, but encryption alone does not address the full set of safeguards expected under the HIPAA Security Rule. A compliant deployment requires controls that support retention, secure backup, and auditability of communications when protected health information is exchanged through the platform. Plans that provide archiving and compliance features are used to support message retention and evidence of access and activity.

Access Controls And Device Controls

HIPAA compliant use requires unique user identification, controlled authentication, and account administration that limits access to workforce members with job related need. Devices used for video or messaging require access controls that prevent unauthorized viewing, including lock settings and session controls. Organizational sharing controls are needed to reduce the risk of protected health information being sent outside authorized recipients.

Operational Controls And Workforce Training

Policies and procedures must define when Skype for Business is permitted for protected health information, what content is allowed, how recipients are validated, and how communications are documented in designated systems of record when required. Workforce members who handle protected health information through approved communication tools must receive HIPAA training and must follow internal reporting procedures for misdirected messages, suspected unauthorized access, or other security incidents.

Compliance Determination

A HIPAA Covered Entity or Business Associate should treat consumer Skype as not suitable for protected health information workflows and should restrict protected health information communications to Skype for Business only when a Business Associate Agreement is in place and the deployed plan and configuration support audit controls, retention controls, and secure administration aligned to HIPAA Security Rule requirements.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA