The convenience and ubiquity of Skype has led to many people asking themselves whether Skype could be used to transmit or share Protected Health Information (PHI) and whether Skype is compliant with the Health Insurance Portability and Accountability Act, commonly known as HIPAA.
The question of whether Skype can be used in compliance with HIPAA is generating some debate. There are a number of safeguards and protections integrated into Skype such as the need to sign in and the use of encryption when transmitting information. However, many are unsure as to whether these measures are sufficient to satisfy HIPAA rules, as well as if there are other areas where Skype does not have anything resembling or approaching the necessary security features.
Should Skype be considered a Business Associate?
Skype could potentially be considered as a Business Associate, but there are others who argue that Skype would be exempt from this status and should instead be considered under the Conduit Rule. The Conduit Rule applies to entities or to services that act merely as a conduit to information, for example a land line telephone provider or the United States Postal Service. Business Associates, on the other hand, either create, receive, maintain, or transmit PHI on behalf of a covered entity.
The crux of the Business Associate/Conduit argument in relation to Skype is in relation to whether they can be said to have access to the information. It is accepted that Skype does not create PHI. They do, however, receive and transmit it. This is complicated by the fact that, though they receive and transmit PHI, they may not actually have access to it since the information is encrypted and not normally accessed by Microsoft. It is important to note “not normally accessed” as Microsoft has decrypted some information to comply with requests from law enforcement. Whether this ability to decrypt renders their non-access moot and disqualifies them from the Conduit exception is unclear.
The advice of this article would be to consider Skype as a Business Associate. Therefore, a business associate agreement covering Skype would be required before using Skype to transmit or share any PHI. Microsoft regularly enters into business associate agreements to cover its Office 365 software suite but this does not automatically cover Skype. Indeed, the free version of Skype does not appear to be covered at all, and only Skype for Business may be eligible to be included in a business associate agreement. As agreements with Microsoft appear to be different in different cases, any agreement should be carefully checked to ensure Skype for Business is covered.
For a service to be HIPAA compliant, it must have appropriate safeguards in place to protect the data in transit as well as measures to maintain the confidentiality, integrity, and traceability of the information. Both Skype and Skype for Business are encrypted and require sign in procedures. However, only certain editions of Skype for Business offers the option to create and store a HIPAA complaint audit trail.
Is Skype HIPAA Compliant?
Overall, we must say that no, Skype is not HIPAA compliant. Some versions of Skype for Business can be made HIPAA compliant if the correct settings are implemented and tracked. It is the responsibility of the covered entity to ensure software is correctly configured. An appropriate business associate agreement must also be in place prior to using the tool. Access control, audit functions, and other elements are equally required.
It is our opinion that a specialised HIPAA-compliant secure messaging tool be assessed as these may pose less risk of accidental PHI disclosures and are built with HIPAA compliance as a goal.