Skype has been increasingly used by business as a quick and cost-effective form of communication. However, the question remains whether Skype can be used by healthcare professionals in a manner which allows them to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rule.
There exists some ambiguity surrounding Skype and HIPAA compliance. Skype has been designed to include security features to prevent unauthorized access of information transmitted via the platform. Furthermore, the messages sent by the platform are encrypted. However, despite these features, the use of Skype may not always be HIPAA compliant.
Skype as a Business Associate
Whether Skype is counted as a business associate is unclear. Skype could be considered an exception under the Conduit Rule, as Skype is just a channel through which information flows. If this were simply the case, a business associate agreement would not be necessary.
If a vendor creates, receives, maintains, or transmits PHI on behalf of a HIPAA-covered entity or one of its business associates, then a full business associate agreement is needed. Skype does not create PHI, but it does ‘receive’ and transmit PHI on behalf of HIPAA CEs. However, the messages are encrypted and are not accessed by Microsoft (Skype’s parent company). If Microsoft can decrypt the messages and access the information, then it must be considered a business associate.
Microsoft complies with law enforcement requests and will supply information to law enforcement. Information is only disclosed when required to so do by law, if a subpoena or court order is issued for example. For Microsoft to do this, data must first be decrypted. It is unclear whether providing information to law enforcement, and being able to decrypt messages, would mean Skype would satisfy the requirements of the conduit exception. As Skype is not a common carrier, it is software-as-service. There is no consensus on the matter, it is our opinion that Skype is classed as a business associate and a business associate agreement is required.
Microsoft will sign a HIPAA-compliant business associate agreement with covered entities for Office 365, and Skype for Business may be included in that agreement. If a business associate agreement has been obtained from Microsoft, covered entities must check it carefully to make sure if it does include Skype for Business. Microsoft has previously explained that not all BAAs are the same.
Skype’s Encryption, Access, and Audit Controls
HIPAA does not demand the use of encryption for ePHI, although encryption must be considered by all CEs. If encryption is not used, an alternative, equivalent safeguard must be implemented in its place to comply with HIPAA. In the case of Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is satisfied.
However, Skype does not necessarily include appropriate controls for backing up of messages (and ePHI) communicated via the platform, and neither does it maintain a HIPAA-compliant audit trail. Skype for Business can be made HIPAA compliant, if the Enterprise E3 or E5 package is purchased. These include the ability to create an archive that stores all communications. Other versions would not satisfy HIPAA Rules.
In conclusion, it is possible for Skype to be used in a manner which is compliant with HIPAA. This is most easily done if the Enterprise E3 or E5 package is purchased. In the case of the latter, it is down to the covered entity to ensure Skype is HIPAA compliant. That means a business associate agreement must be obtained from Microsoft prior to using Skype for Business to send any ePHI. Skype must also be configured carefully by the CEs and their business associates to ensure that HIPAA is not accidentally violated.
To be fully HIPAA compliant Skype must maintain an audit trail and all messages must be backed up securely and all communications saved. Access controls must also be applied on all devices that use Skype to prevent unauthorized disclosures of ePHI. Controls must also be set to prevent any ePHI from being sent outside the organization. Covered entities must also receive satisfactory assurances that in the event of a breach, they will be notified by Microsoft.
Even with a BAA and the correct package, there is still considerable potential for HIPAA Rules to be violated using Skype for Business. Since there are many secure text messaging options available to covered entities, including platforms that have been built specifically for use by the healthcare industry, they may prove to be a better choice. With those platforms, HIPAA compliance is made much more straightforward and it is far harder to accidentally violate HIPAA Rules.