Skype can only be used in a HIPAA-compliant manner for electronic protected health information when the use is limited to Skype for Business that is covered by a Microsoft Business Associate Agreement under a qualifying Microsoft 365 or Office 365 business plan, and when the service is configured to meet HIPAA Security Rule requirements for access control, message retention, and audit capability, while consumer Skype is not HIPAA compliant for those purposes.
A Business Associate Agreement is required when a vendor receives and transmits electronic protected health information on behalf of a HIPAA covered entity or business associate. Skype transmits protected health information when it is used for messages or calls that contain protected health information, and the position taken is that Skype is treated as a business associate service rather than a conduit exception. Microsoft offers a HIPAA-compliant Business Associate Agreement for qualifying Microsoft 365 and Office 365 business plans, and Skype for Business may be included, so the agreement must be reviewed to confirm Skype for Business coverage before any protected health information is communicated.
Encryption alone does not satisfy HIPAA Security Rule requirements. Skype messages are described as encrypted using AES 256-bit encryption, which addresses transmission security, but compliance also depends on backup, retention, and audit controls. Skype does not necessarily include controls for backing up messages and does not maintain a HIPAA-compliant audit trail by default. Skype for Business can be configured to meet these requirements when the Enterprise E3 or E5 package is purchased because those packages support an archive that stores communications, while other versions do not satisfy these requirements without an additional Microsoft compliance subscription.
Operational compliance also depends on how the covered entity applies safeguards and workforce controls. Devices used to access Skype for Business require access controls to prevent unauthorized disclosures of protected health information. Controls are also needed to prevent protected health information from being sent outside the organization impermissibly. Workforce members require HIPAA training on using the service without impermissible disclosures, and the covered entity must obtain satisfactory assurances that Microsoft will provide breach notification when required.
Even when a qualifying plan and agreement are in place, the compliance outcome depends on configuration and governance by the covered entity or business associate, including enabling automatic logoff and maintaining secure retention of communications and audit capability. Organizations evaluating Skype should treat consumer Skype as noncompliant for protected health information and treat Skype for Business as conditionally compliant when supported by the correct Microsoft licensing, agreement coverage, and documented security configuration.