Breaking Down Compliance Concerns for Healthcare Providers Using Skype
Every day, we work alongside a variety of healthcare providers to ensure HIPAA data compliance standards are implemented correctly. As technology-for-business continues to evolve, instant messaging platforms – like the one provided in Skype – offer a convenient way of quickly communicating information between team members or departments.
However, we’ve been getting this question a lot lately: is Skype HIPAA compliant? More specifically, can Skype be used to send electronic protected health information (ePHI) without violating HIPAA mandates? Very simply, should healthcare providers be using Skype when it comes to the transmission of sensitive patient health data?
The debate is still out on Skype and HIPAA compliance. Skype does include built-in security features to prevent unauthorized access of transmitted data, and all Skype messages are encrypted. However, built-in security tools don’t necessarily mean total HIPAA compliance. When it comes down to it, the way healthcare organizations implement and use Skype is what makes the difference when it comes to compliance.
First Things First: Is Skype Considered a Business Associate under HIPAA?
Under HIPAA, business associates are defined as any organizations or people working in association with or providing services to a covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records (PHR).
So, does Skype count? Again, this is a topic that is continually up for debate. Technically, Skype could be considered an exception to the business associate mandate, under the HIPAA Conduit Rule. The Conduit Rule stipulates that any conduit through which information flows does not require an explicit business associate agreement.
However, don’t get too excited. A business associate agreement is necessary if a vendor creates, receives or transmits patient data on behalf of a HIPAA-covered entity or one of its business associates. While Skype definitely doesn’t create personal health information, it can be used to receive and transmit it. However, it should be reaffirmed that Skype messages are encrypted – both in transit and at rest – and Microsoft doesn’t access these messages unless there is a legal subpoena to do so.
In the case of subpoenaed information, data must first be decrypted. Therefore, it becomes unclear that whether providing information to law enforcement and being able to decrypt messages, would mean Skype would no longer satisfy the Conduit Rule. Furthermore, Skype is a software-as-a-service as opposed to a common carrier.
There’s no doubt that all the legal jargon is enough to leave your head spinning. That’s why, we urge clients and other businesses to air on the side of caution and consider a Skype business associate, requiring a business associate agreement. Better safe than sorry.
When it comes to drafting a business associate agreement, Microsoft generally will sign a HIPAA compliance associate agreement for a providers entire Office 365 subscription. Additionally, Skype for Business may be included in that overreaching agreement.
However, in order to ensure compliance, make sure you look over your business associate agreement with Microsoft to make sure that Skype for Business is included and covered. Microsoft has recently explained that not all business associate agreements are the same – so play on the safe side and get specific.
Skype and HIPAA Compliance: Encryption, Access, and Audit Controls
While HIPAA doesn’t insist that ePHI is encrypted, they do outline encryption as a mandatory consideration. Basically, if a covered entity decides not to use encryption, they must outline and implement an equivalent safeguard instead. When it comes to Skype, all messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is taken care of.
However, the problem lies in administrative controls for back-up and auditing. Skype doesn’t automatically include appropriate controls for communications back up, nor does it maintain a compliant audit-trail, as mandated by HIPAA standards. Without these features, Skype simply isn’t HIPAA compliant. However, there may be a workaround if healthcare organizations are implementing Skype for Business instead of the basic app.
The Final Verdict: Is Skype HIPAA Compliant or Not?
So, lets cut to the chase: is Skype HIPAA compliant or not? The short answer is no. As a standalone application, the basic Skype platform does not comply with HIPAA compliance regulations. So, for healthcare organizations who rely on Skype – let this be your warning to never send ePHI via Skype instant messaging. However, for organizations using Skype for Business – like many of our clients – the platform can be made to better support HIPAA compliance – but only if it is implemented correctly.
If the Enterprise E3 or E5 Skype For Business packages are purchased, the application can be configured to better support HIPAA mandates. However, it’s up to your organization to ensure that compliance standards are met. This means that you must actively set up a business associate agreement with Microsoft, before using the Skype for Business app to transmit any kind of ePHI. Furthermore, the application must be configured carefully. In order to be fully HIPAA compliant, Skype for Business must maintain an audit trail and all transmitted communication must be saved and backed up securely.
Additionally, access controls must also be applied to all devices that use Skype for Business to prevent any and all unauthorized disclosures of ePHI. Controls must also be configured to prevent any sensitive information from being sent outside the organization. Finally, healthcare organizations must also implement agreements that insist Microsoft will notify them immediately in the event of a breach.
But, let’s not get ahead of ourselves…
Unfortunately, it must be noted that even with a business associate agreement and the correct application package, there is still significant potential for HIPAA compliance to be violated when using Skype for Business. The short answer is, when it comes to Skype for Business, it’s hard to be entirely confident that all HIPAA regulations are upheld.
However, healthcare companies need not panic or dig out the post-it notes. There are many secure instant messaging platforms available to healthcare providers, designed specifically for use by the healthcare industry, with built-in compliance features. As much as we love Skype for Business, when it comes to the healthcare field, these alternatives may prove to be the better choice. With these solutions, HIPAA compliance strategies are built-in and straightforward, making it much more difficult to accidentally violate HIPAA mandates.
Before long, Microsoft will probably catch-up and implement protocols that better support HIPAA compliance when using Skype for Business. Until then, make sure any instant messaging on the Skype for Business platform doesn’t include sensitive patient data. In the meantime, it may be useful to seek out other, more compliance-friendly platforms to ensure lines of communication and data-sharing channels are as efficient as possible.
We have extensive experience working with healthcare organizations like yours, so we know just how critical HIPAA compliance is. Configuring IT and software platforms to support HIPAA compliance mandates is the number one security priority for healthcare providers across the country. Keeping patient data secure and maintaining compliance can feel like a full-time job.
If you’re looking for ways to ensure all your business devices and applications are HIPAA compliant, don’t get caught up in guesswork. Reach out to our team of compliance experts anytime. When it comes to protecting sensitive patient data and avoiding hefty fines, checking in with seasoned professionals is more than worth it.
Author: Aaron White, Date: 30th November 2017