HIPAA Compliance & Skype
There is currently some discussion regarding Skype and HIPAA compliance. Skype incorporates security features to prevent unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype meet all requirements of HIPAA Rules?
Is Skype Classed as a Business Associate?
Is Skype a HIPAA business associate? That is a matter that has been widely discussed. Skype could be thought of as an exception under the Conduit Rule – being merely a medium through which information flows. If that is true, a business associate agreement would not be required.
However, a business associate agreement is required if a vendor creates, receives, keeps, or transmits PHI on behalf of a HIPAA-covered group or one of its business associates. Skype does not create PHI, but it does ‘receive’ and send PHI. Even so, messages are encrypted and are not accessed by Microsoft. But can Microsoft see the contents of messages? Does Microsoft have a key to remove the encryption?
Microsoft does adhere with law enforcement requests and will hand over information to law enforcement. Information is only disclosed when it is legally required, if a subpoena or court order is issued for instance.
For that to occur, data must first be decrypted. It is not clear whether giving information to law enforcement, and being able to decrypt messages, would mean Skype would meet the requirements of the conduit exception. Skype is also not classed as a common carrier, it is software-as-service. While this has been argues, it is our belief that Skype is classed as a business associate and a business associate agreement is needed.
Microsoft will complete a HIPAA-compliant business associate agreement with covered groups for Office 365, and Skype for Business MAY be incorporated in that agreement. If a business associate agreement has been received from Microsoft, covered groups must review it carefully to make sure if it does include Skype for Business. Microsoft has previously explained that not all BAAs are identical.
Encryption, Access, and Audit Controls in Relation to Skype and HIPAA Compliance:
HIPAA does not demand the use of encryption for ePHI, although encryption must be reviewed as on option. If encryption is not implemented, an alternative, equivalent safeguard must be used in its place. In the case of Skype, messages are encrypted via AES 256-bit encryption; therefore, this aspect of HIPAA compliance is met.
However, Skype does not necessarily include proper controls for backing up of messages (and ePHI) sent using the platform, and neither does it keep a HIPAA-compliant audit trail. Skype for Business can be made HIPAA compliant, if the Enterprise E3 or E5 package is bought. These include the ability to set up an archive that stores all communications. Other versions would not be in line with HIPAA Rules.
Can Skype be deemed HIPAA Compliant?
So, can Skype be deemed HIPAA compliant? No. Can Skype for Business be deemed HIPAA compliant? Possibly, if the Enterprise E3 or E5 package is bought. In the case of the latter, it is down to the covered group to ensure Skype is HIPAA compliant. That means a business associate agreement must be received from Microsoft before using Skype for Business to share any ePHI. Skype must also be set up carefully. In order to be HIPAA compliant Skype must keep an audit trail and all messages must be backed up securely and all communications recorded.
Access controls must also be put in place on all devices that use Skype to eliminate unauthorized disclosures of ePHI. Controls must also be set to block any ePHI from being sent outside the organization. Covered groups must also receive satisfactory assurances that in the event of a breach, they will be alerted by Microsoft.
Even with a BAA and the correct subscription, there is still massive potential for HIPAA Rules to be breached using Skype for Business. Since there are many secure text messaging options available to covered groups, including platforms that have been built with use by the healthcare sector in mind, they may prove to be a better option. With those services, HIPAA compliance is made much easier and it is far harder to accidentally breach HIPAA Rules.