Is Skype HIPAA Compliant?

Skype and similar messaging platforms are useful tools to rapidly share information, but is Skype compliant with HIPAA regulations? Would sending protected health information (PHI) via Skype as part of an electronic text message violate HIPAA rules?

Currently, the topic of whether Skype is HIPAA compliant is up for debate. While messages are encrypted and a number of security protocols exist to safeguard access to any information sent through Skype, are all necessary HIPAA requirements met by these features?
Here we will try to put forth an answer to whether Skype is HIPAA compliant or not.

Does Skype Count as a Business Associate?

Could we say that Skype is a business associate? This has been subject to a great deal of discussion. There may be a case for considering Skype as an exception under the Conduit Rule as it is just a channel which is used to pass on information. While Skype does not create PHI, PHI is “received” and transmitted by Skype – even if messages are encrypted and not accessed by Microsoft. Could Microsoft access the content of the messages if they tried, or do they have a back door or bypass for the encryption?
Microsoft have been known to supply information to law enforcement and to comply with their requests when required to by law or the courts, for example following a subpoena or court order.

In order to do so, a way to decrypt the data must exist. This ability to decrypt the data and provide information to law enforcement may mean that Skype does not meet the requirements of the conduit exception. Skype is also categorized as a Software-as-a-Service and is not considered to be a common carrier. While not all parties are in agreement, our opinion is that Skype should be classed as a business associate and that a business associate agreement (BAA) would be required.

HIPAA compliant BAAs between Microsoft and covered entities do exist to cover the use of Office 365. It is POSSIBLE that Skype for Business is included in these agreements. If covered entities already have BAAs with Microsoft, they should check carefully to ensure that Skype for Business is included in the agreement. According to Microsoft, not all BAAs are the same.
HIPAA compliance and Skype: Encryption, Access, and Audit Controls

The use of encryption for ePHI is not a specific requirement under HIPAA, but it must be considered. If information is not encrypted, an equivalent method of protecting the data must be used instead. Skype messages are encrypted using AES 256-bit encryption; it is therefore compliant with this particular aspect of HIPAA regulations.

However, appropriate controls necessary for backing up messages (and ePHI) that have been sent over Skype may not be included, and there is no HIPAA-compliant audit trail recorded. It is possible for Skype for Business to be brought up to the necessary standard to be HIPAA compliant if the Enterprise E3 or E5 packages are purchased. Both of these versions include a feature to archive and store all communications. Other iterations of Skype would not meet HIPAA requirements.

Is Skype HIPAA Compliant?

After all of this, is Skype HIPAA compliant? In short, no, but Skype for Business can be made HIPAA compliant if the E3 or E5 packages are used. In the case of these versions, it is the responsibility of the covered entity to guarantee compliance. This means Microsoft must sign a BAA with the covered entity before sending any ePHI using Skype for Business. To be fully HIPAA compliant, the Skype version must also be correctly configured to record an audit of all messages and to create a secure back up of all communications.

All devices using Business for Skype must be protected by access controls to prevent unauthorized disclosures of ePHI. These controls should also prevent any ePHI from being sent outside the organization. Microsoft must provide satisfactory assurances that covered entities will be notified should any security breach occur.

The use of Skype for Business still carries a risk of HIPAA violation, even when using the correct version and with a BAA in place. A plethora of secure messaging tools are available and some of these have been designed specifically for use by covered entities in the healthcare arena. Created with HIPAA compliance in mind, they might be a better choice as they make it much easier to follow the rules, and much more difficult for any accidental HIPAA violations to occur.