Is Skype HIPAA Compliant?

Health

Text messaging platforms such as Skype are an efficint way of quickly sending information, but is does Skype adhere with HIPAA compliance? Can Skype be used to transmit text messages containing electronic protected health information (ePHI) without risking breaching HIPAA Rules?

There is, at present some debate on Skype and HIPAA compliance. Skype includes security features to unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype meet all stipulations of HIPAA Rules?

This article will try to address the question, Is Skype HIPAA compliant?

Can Skype be deemed a HIPAA Business Associate?

Is Skype an entity like HIPAA business associate? That is a matter that has been much discussed. Skype could be thought of as an exception under the Conduit Rule – being merely a conduit through which information provided. If that is the scenario, a business associate agreement would not be necessary.

However, a business associate agreement is necessary if a vendor makes, receives, maintains, or transmits PHI for a HIPAA-covered entity or one of its business associates. Skype does not makee PHI, but it does ‘receive’ and send PHI. That said, messages are encrypted and are not accessed by Microsoft.  But can Microsoft access/see the contents of messages? Does Microsoft hold a magic key to open the encryption?

Microsoft does adhere with law enforcement requests and will provide information to law enforcement. Information is only shared when required to so do by law, if a subpoena or court order is issued for instance.

For that to occur, data must first be decrypted. It is unclear whether suppling information to law enforcement, and decrypt messages, would mean Skype would meet the requirements of the conduit exception. Skype is also not a typical carrier, it is software-as-service. While this has been debated, it is our opinion that Skype is classed as a business associate and a business associate agreement is required.

Microsoft will sign a HIPAA-compliant business associate agreement with covered entities for Office 365, and Skype for Business MAY be included in that agreement. If a business associate agreement has been obtained from Microsoft, HIPAA covered bodies must check it carefully to ensure if it does incorporate Skype for Business. Microsoft has previously remarked that not all BAAs are identical.

HIPAA Compliance and Skype: Encryption, Access, and Audit Controls

HIPAA does not obligate the use of encryption for ePHI, although encryption must be looked into. If encryption is not used, an alternative, equivalent option must be implemented in its stead. With Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is met.

However, Skype does not necessarily include adequate controls for backing up of messages (and ePHI) sent via the platform, and neither does it keep a HIPAA-compliant audit trail. Skype for Business can be made HIPAA compliant, if the Enterprise E3 or E5 package is bought. These include the ability to establish an archive that stores all communications. Other versions would not be in line with HIPAA Rules.

So, can Skype be deemed HIPAA Compliant?

So, can Skype be deemed HIPAA compliant? No. Can Skype for Business be deemed HIPAA compliant? Possibly, if the Enterprise E3 or E5 package is purchase and it is down to the covered body to ensure Skype is HIPAA compliant. That means a business associate agreement must be received from Microsoft prior to using Skype for Business to share any ePHI. Skype must also be configured properly. In order to be HIPAA compliant Skype must keep an audit trail and all messages must be backed up securely and all communications recorded.

Access controls must also be put in place on all devices that use Skype to stop unauthorized disclosures of ePHI. Security controls must also be set to stop any ePHI from being transmitted outside the organization. Covered bodies must also receive satisfactory assurances that in the event of a breach being encountered, they will be alerted by Microsoft.

Even with a BAA and the proper package, there is still massive potential for HIPAA Rules to be breached using Skype for Business. Since there are many secure text messaging options available to covered groups and bodies, including platforms that have been built purposely for use by the healthcare sector, they may prove to be a better option. With those platforms, HIPAA compliance is made much easier and it is far harder to mistakenly violate HIPAA Rules and Regulations