Is Skype HIPAA Compliant?

Text messaging platforms such as Skype are a useful way of quickly communicating data, but is Skype HIPAA be termed compliant? Can Skype be deployed for sending text messages including electronic protected health information (ePHI) without risking breaking HIPAA Rules?

There is currently some discussion surrounding Skype and HIPAA compliance. Skype includes security features to stop unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype adhere with all requirements of HIPAA Rules?

This article will try to answer the question, Is Skype HIPAA compliant?

Is Skype a Business Associate?

Is Skype a HIPAA business associate? That is a matter that has been much discussed. Skype could be thought of as an exception under the Conduit Rule – being merely a conduit through which data flows. If that is the case, a business associate agreement would not be a requirement for compliance.

However, a business associate agreement is a legal requirement if a vendor creates, receives, maintains, or transmits PHI on behalf of a HIPAA-covered entity or one of its business associates. Skype does not develop PHI, but it does ‘receive’ and transmit PHI. That said, messages are encrypted and are not accessed by Microsoft.  But can Microsoft view the contents of messages? Can Microsoft unlock encryption?

Microsoft does comply with law enforcement agency requests and will supply information to law enforcement. Information is only shared when required to so do by law, if a subpoena or court order is applied.

For that to take place, data must first be decrypted. It is unclear whether supplying information to law enforcement, and being able to decrypt messages, would mean Skype would meet the requirements of the conduit exception. Skype is also not a common carrier, it is software-as-service. While this has been discussed, it is our opinion that Skype is classed as a business associate and a business associate agreement is obligatory.

Microsoft will complete a HIPAA-compliant business associate agreement with covered entities for Office 365, and Skype for Business MAY be included in that agreement. If a business associate agreement has been completed with Microsoft, covered entities must check it carefully to make sure if it does include Skype for Business. Microsoft has previously outlined that not all BAAs are the same.

Skype and HIPAA Compliance: Encryption, Access, and Audit Controls

HIPAA does not outright require the use of encryption for ePHI, although encryption must be considered. If encryption is not in place, an alternative, equivalent safeguard must be implemented in its place. With Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is adhered to.

However, Skype does not necessarily include the proper controls for backing up of messages (and ePHI) communicated over the platform, and neither does it maintain a HIPAA-compliant audit trail. Skype for Business can be made HIPAA compliant, if the Enterprise E3 or E5 package is purchased. These include the ability to set up an archive that stores all communications. Other versions would not satisfy HIPAA Rules.

Is Skype HIPAA Compliant?

Skype HIPAA is not HIPAA compliant. However, Skype for Business can be HIPAA compliant if the Enterprise E3 or E5 package is purchased. In the case of the latter, it is up to the covered entity to ensure Skype is HIPAA compliant. That means a business associate agreement must be completed with Microsoft prior to using Skype for Business to send any ePHI. Skype must also be configured with great care. In order to be HIPAA compliant Skype must maintain an audit trail and all messages must be backed up securely and all communications saved.

Access controls must also be applied on all devices that use Skype to eliminate unauthorized disclosures of ePHI. Controls must also be configured to stop any ePHI from being sent outside the group. Covered entities must also receive satisfactory assurances that in the event of a breach, they will be alerted by Microsoft.

Even with a BAA and the appropriate package, there is still huge potential for HIPAA Rules to be breached using Skype for Business. Since there are many secure text messaging options available to covered entities, including platforms that have been built specifically for use in the healthcare sector, they may prove to be a better option.