Messaging platforms such as Skype are an efficient way of communicating between individuals and groups, but healthcare organizations must only use communications platforms to discuss information relating to patients that are compliant with HIPAA. In this post we explore whether Skype is HIPAA compliant and if it can be used by healthcare organizations to communicate electronic protected health information (ePHI) without violating HIPAA Rules.
Is Microsoft a HIPAA Business Associate?
With respect to Skype, is Microsoft – the provider of the platform – a business associate? Skype could be thought of as an exception under the HIPAA Conduit Rule in the sense that it is merely a conduit through which information passes. If that were the case, a business associate agreement would not be necessary. However, OCR has issued guidance that confirms the HIPAA conduit rule does not typically apply to software-as-a-service providers, and that they are considered business associates under HIPAA. A business associate agreement is therefore required before Skype can be used to communicate ePHI.
Microsoft will sign a HIPAA-compliant business associate agreement with covered entities for Office 365, and Skype for Business may be included in that agreement. If a business associate agreement has been obtained from Microsoft, HIPAA covered entities must check it carefully to ensure it incorporates Skype for Business. Microsoft has previously stated that not all BAAs are identical.
HIPAA Compliance and Skype: Encryption, Access, and Audit Controls
HIPAA does not demand the use of encryption for ePHI. Encryption is an addressable aspect of HIPAA compliance. If encryption is not used, an alternative, equivalent safeguard is required to be implemented instead. With Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is satisfied.
However, Skype does not necessarily backup messages (and ePHI) sent via the platform, and neither does it keep a HIPAA-compliant audit trail by default. Furthermore, the Skype platform has to be configured to automatically log users out of the system after a period of inactivity. Skype for Business can be made HIPAA compliant if the Enterprise E3 or E5 package is bought. These packages include the ability to establish an archive that stores all communications which is necessary for HIPAA compliance.
Can Skype be deemed a HIPAA Compliant Communications Platform?
Can Skype be deemed HIPAA compliant? If the Enterprise E3 or E5 package is purchased and a business associate agreement is signed with Microsoft that covers the use of Skype for Business, Skype can be made HIPAA-compliant.
All employees who use Skype must be made aware of how the platform can be used and their responsibilities under HIPAA. The platform must be configured to maintain an audit trail, security settings must be appropriately configured, individual logins should be created for each user, and backups must be created and maintained.
Even with a BAA and the proper package, there is still potential for HIPAA Rules to be breached using Skype for Business. Since there are many secure text messaging options available to covered entities that have been purposely created for use by the healthcare sector and to meet HIPAA requirements, they may prove to be a better option. With those platforms, HIPAA compliance is made much easier and it is far harder to mistakenly violate HIPAA Rules and Regulations.