Skype and other text messaging platforms are a useful way of broadcasting information, but there are some questions to be answered in relation to HIPAA compliance of the service.
There has recently been a lot of discussions and debate regarding this. There are security measure implemented by Skype to prevent unauthorized access of information transmitted via the platform and messages are encrypted. However it might still be unclear if Skype actually satisfies all requirements of HIPAA Rules. Here we will attempt to address this with some clarity.
Can Skype be deemed a Business Associate under HIPAA?
Can Skype be deemed a Business Associate under HIPAA? Skype could be thought of as an exception under the Conduit Rule – being merely a conduit through which information is broadcast. In this scenario, a business associate agreement would not be required.
However, a business associate agreement is required if a vendor creates, receives, maintains or transmits PHI on behalf of a HIPAA-covered body or one of its business associates. Skype does not create PHI, but it does ‘receive’ and broadcast PHI. Even so, messages are encrypted and are not accessed by Microsoft. But does Microsoft have the ability to access the contents of messages and doe Microsoft comply with law enforcement requests and will supply information to law enforcement?
Microsoft will only disclose information when required by law, if a subpoena or court order is issued for example. In order for this to happen, data must first be decrypted. It is unclear whether providing details to law enforcement, and being able to decrypt messages, would mean Skype would adhere with the requirements of the conduit exception.
Skype, as a service is not a common carrier, instead it is deemed as software-as-service. While this has been argued, it is our belief that Skype is classed as a business associate and a business associate agreement is necessary.
Microsoft will complete a HIPAA-compliant business associate agreement with covered organizations for Office 365 and Skype for Business MAY be taken into account in that agreement. If a business associate agreement has been received from Microsoft, covered organizations must check it carefully to make sure if it does include Skype for Business. Microsoft has previously outlined that not all BAAs are the same.
HIPAA Compliance and Skype: Encryption, Access, and Audit Control Measures
HIPAA does not demand the obligatory use of encryption for ePHI, although encryption must be reviewed as a possibility. If encryption is not implemented, an alternative, equivalent security measure must be adapted in its stead. In the case of Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is adhered to.
However, Skype does not necessarily include proper measures for backing up of messages (and ePHI) broadcast via the platform, and neither does it maintain a HIPAA-compliant audit trail. Skype for Business can be configured to be HIPAA compliant, if the Enterprise E3 or E5 package is bought. This includes the ability to create an archive that stores all communications. Other versions would not adhere with HIPAA Rules.
Conclusion: Is Skype HIPAA Compliant?
Can we conclude that Skype is HIPAA compliant? No. Is Skype for Business HIPAA compliant? It may be, if the Enterprise E3 or E5 package is bought. In the case of the latter, it is down to the covered organization to ensure Skype is HIPAA compliant. That means a business associate agreement must be received from Microsoft before using Skype for Business to broadcast any ePHI. Skype must also be implemented carefully. In order to be HIPAA compliant Skype must keep an audit trail and all messages must be backed up securely and all communications saved.
Access controls must also be put in place on all devices that use Skype to stop unauthorized disclosures of ePHI. Controls must also be set to stop any ePHI from being sent outside the group. Covered bodies must also receive satisfactory assurances that in the event of a breach, they will be alerted by Microsoft.
Even with a BAA and the correct Skype package, there is still considerable potential for HIPAA Rules to be breached using Skype for Business. Since there are many secure text messaging options available to covered organizations, including platforms that have been built specifically for use by the healthcare sector, they may prove to be a better choice. With those messaging platforms, HIPAA compliance is simpler and it is far harder to violate HIPAA Rules in error.