Skype Text and messaging platforms like it are a very convenient way of quickly sending data however there is still some discussion around how HIPAA compliant Skype actually is.
The Skype service incorporates security measures to stop unauthorized access of information being sent using the platform and messages are encrypted. How is must be considered whether or not this means that Skype satisfies requirements of HIPAA Rules.
Can Skype be Designated as a Business Associate?
Skype could be thought of as an exception under the Conduit Rule in that it is only a conduit through which information is shared. If that is so, a business associate agreement would not be a requirement for compliance with HIPAA.
However, it should also be remembered that a business associate agreement is necessary if a vendor creates, receives, maintains, or shares PHI on behalf of a HIPAA-covered entity or a designated business associate of the vendor. Even though Skype does not create PHI, but it does ‘receive’ and transmit PHI. Even so, messages are encrypted and Microsoft does not access them. How what needs to be considered is if Microsoft has the ability to access the contents of messages, even if it chooses not to.
Microsoft does comply with law enforcement requests that it is sent and hand over information to law enforcement agencies when it is necessary to do so. Information is only shared when required to so do under legislation, if there is a current subpoena or court order in place for example.
Before data is shared it is vital that it is first decrypted. It is unclear whether providing information to law enforcement, and having the ability to decrypt messages, would indicate that Skype is meeting the requirements of the conduit exception. Skype is also not a common carrier, it classified as a software-as-service. While this has been discussed, it is our opinion that Skype is clearly a business associate and a business associate agreement is necessary.
Microsoft is happy to complete a HIPAA-compliant business associate agreement with covered entities for Office 365, and Skype for Business is allowed to be included in that agreement. If a business associate agreement has been obtained from Microsoft, covered entities must review it carefully to see if it does include Skype for Business. Microsoft has previously said that not all BAAs are identical.
Skype and HIPAA Compliance: Security Controls
HIPAA does not require the use of encryption for ePHI, although encryption must be reviewed as a potential solution. If encryption is not deployed, a different, similar security measure safeguard must be used in its place. In the case of Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is in place.
However, Skype does not necessarily include all the the required controls for backing up of messages (and ePHI) communicated through the platform, and neither does it keep in place a HIPAA-compliant audit trail. it is possible for Skype for Business to be HIPAA compliant, if the Enterprise E3 or E5 package is purchased. These products come with the ability to create an archive that manages and stores all communications. Different versions would not be compliant with HIPAA Rules.
What this means is that Skype for Business, as opposed to standard Skype, can be HIPAA compliant if the Enterprise E3 or E5 package is purchased. It is the responsibility of the covered entity to make sure that Skype is HIPAA is being used in a HIPAA compliant fashion. In order for this be to so a business associate agreement must be obtained from Microsoft before a client begins to use Skype for Business for sharing ePHI. It is also pivotal that Skype is set up correctly. In order to be HIPAA compliant Skype must maintain an audit trail and all messages must be fully supported and back up with full security in place so that all communications saved.
Access controls must also be implemented on every devices that Skype is used on to stop unauthorized disclosures of ePHI taking place. Controls must also be configured to stop any ePHI from being shared external to the body-company. Covered entities must also be given adequate assurances that in the event of a breach, they will be made aware of it by Microsoft.
There is still huge potential for HIPAA Rules to be breached violated using Skype for Business when a BAA has been completed and the correct package is active. Since there are many secure text messaging options on the market an available to covered entities, including platforms that have been designed specifically for use by the healthcare sector, they may prove to be a better option for certain bodies. With those platforms, HIPAA compliance is made much more basic and it is far harder to violate HIPAA Rules by mistake.