Is Skype HIPAA Compliant?

As of January 2022, Skype does not inherently meet the requirements for full compliance with the HIPAA. HIPAA mandates strict privacy and security standards for protected health information (PHI) in healthcare environments. Skype lacks certain security features and formalized business associate agreements necessary for ensuring the confidentiality, integrity, and availability of PHI. Microsoft has made efforts to enhance the security of its communication platforms, such as Microsoft Teams, to align with healthcare industry standards, but it is necessary for healthcare professionals and organizations to independently verify the current status of Skype’s HIPAA compliance. Organizations must ensure that the chosen communication tools align with the specific regulatory requirements and standards applicable to the healthcare sector.

HIPAA sets strict standards to safeguard the privacy and security of PHI within the healthcare sector. Compliance with HIPAA is important to ensure the confidentiality, integrity, and availability of sensitive patient information. As healthcare professionals increasingly turn to technology for communication, it becomes necessary to assess the suitability of platforms like Skype for handling PHI in a secure and compliant manner. As of  January 2022, Skype has not been expressly designed to fulfill the requirements of HIPAA. The platform lacks certain features necessary to meet the strict security standards mandated by HIPAA. These features include end-to-end encryption, audit controls, and formalized business associate agreements (BAAs), which are necessary components for securely managing PHI and avoiding HIPAA violations.

End-to-end encryption is a fundamental requirement for securing communication channels that involve PHI. This cryptographic technique ensures that only the intended recipient can decipher the information, preventing unauthorized access during transmission. Skype does not provide end-to-end encryption, posing a potential vulnerability in the context of HIPAA compliance.

HIPAA necessitates robust audit controls, enabling organizations to monitor and record access to PHI. The absence of such controls in Skype limits the ability of covered entities to track and document user activities, impeding their ability to demonstrate compliance with HIPAA’s auditing requirements.

An important aspect of HIPAA compliance involves the establishment of business associate agreements (BAAs) between covered entities and their service providers. A BAA is a legally binding document that outlines the responsibilities and obligations of each party concerning the protection of PHI. Skype, as a communication platform, lacks a pre-established BAA with its users, which is a notable shortfall in meeting the regulatory demands of HIPAA.

Recognizing the evolving landscape of digital communication in healthcare, Microsoft has introduced Microsoft Teams, a collaboration platform designed with enhanced security features and HIPAA compliance in mind. Microsoft Teams incorporates end-to-end encryption, robust audit controls, and the provision for formalized business associate agreements, making it a more suitable choice for healthcare professionals seeking HIPAA-compliant communication solutions.

In contrast to Skype, Microsoft Teams has implemented end-to-end encryption for one-on-one calls, providing an additional layer of security for sensitive conversations. This encryption ensures that the content of the communication remains confidential and inaccessible to unauthorized parties throughout the transmission process.

Microsoft Teams also offers in-depth audit controls, allowing healthcare organizations to monitor and record user activities within the platform. These controls facilitate the tracking of access to PHI, ensuring compliance with HIPAA’s strict auditing requirements.

Microsoft has also demonstrated its commitment to HIPAA compliance by providing business associate agreements for eligible customers using Microsoft Teams. These agreements establish a legal framework for the secure handling of PHI, outlining the responsibilities of both Microsoft and the healthcare organization in safeguarding sensitive information.

Healthcare professionals must remain vigilant and stay aware of updates in technology and regulatory landscapes. While Skype may have limitations in achieving HIPAA compliance, Microsoft Teams represents a more robust and secure alternative for healthcare communication, aligning more closely with the regulatory requirements governing PHI.

As of January 2022, Skype does not inherently meet the requirements of HIPAA due to the absence of important security features and formalized business associate agreements. Healthcare professionals are encouraged to explore more secure alternatives, such as Microsoft Teams, which has been designed with enhanced security measures to ensure HIPAA compliance in the digital communication landscape. It is advisable to verify the latest information and updates from Microsoft or relevant authorities to ensure continued adherence to regulatory standards.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at