be Smart.
be Secure.
Phone: 800-441-6612

Is Skype HIPAA Compliant? If not, what is?

Revision 2016:  Since the article was published, Microsoft has started offering a Business Associate Agreement (BAA) for Office 365 Online of which Skype is a part.  While online documentation is very unclear, Microsoft has indicated that Skype is covered under this BAA and thus use of Skype can be “HIPAA compliant” as long as you have “Skype for Business” and the signed BAA with Microsoft.

However, Skype lacks many controls and features that are actually required for an organization to be compliant, such as access auditing, backups, and breach reporting.  This makes it unclear what the usefulness of its being “covered” under Microsoft’s BAA really is.  Microsoft is really just leaving it up to the Skype user to determine if the use of Skype is appropriate without taking any steps to ensure that use of Skype really could be compliant.  Additionally, even though Skype is covered under Microsoft’s BAA, the regular, free Skype used by most people is not covered.  So, for example, a therapist should under no circumstances have a session with a patient, where that patient is using the regular free Skype program.

Original Article Content:

In conjunction with their use of LuxSci HIPAA-compliant email and web hosting services, many small health care practices often ask us about use of Skype and other video conferencing software for communicating with patients over the Internet.

Is it possible to be HIPAA compliant while using Skype for sending PHI via chat, voice, and/or video?  Why?  Everyone else is doing it … shouldn’t I thus be able to as well?

The short answer is “no – don’t use Skype” and “there are other options available that offer this capability and allow you to be HIPAA compliant in the process.”  For the long answer, read on.

Some background on Skype itself

When considering if Skype can be used in a HIPAA compliant manner, there are many relevant items to consider:

  1. Encryption: Skype uses AES 265-bit encryption for securing the chat sessions and the voice and video phone calls.  This level of encryption is beyond sufficient for encrypting the transmission of ePHI.
  2. Wire Tap: It is well known that many countries can “wire tap” skype communications so that they can record calls, videos, and chats.  Changes that Microsoft has made to Skype make it easier for them to wire tap communications, in general and domestically.  it is also well known that the NSA can wire tap Skype video calls.
  3. Business Associate Agreement. Skype (Microsoft) does not offer a BAA; however such an agreement with providers that you use for your ePHI is a requirement of HIPAA.  Skype also does not state anywhere that its services can be used in a HIPAA compliant way.
  4. HIPAA Requirements: Use of Skype does not:
    1. Provide audit trails of usage
    2. Provide notifications in case of a breach
    3. Offer technical support and frequently dropped calls may cause problems for some organizations (e.g. in terms of emergency access, etc.)
    4. Provide archives of chats
    5. Provide administrative emergency access to previous chat histories

So, what does this mean?

These items taken together mean that:

  • While Skype uses a strong level of encryption, the privacy of data sent via Skype is suspect
  • Copies of calls, chats, and videos could be stored in unknown locations as a result of wire taps or other undisclosed recording by Skype, Microsoft, or government officials
  • Skype does not claim any kind of HIPAA compliance and will not sign a required Business Associate Agreement and does not provide the tools to use Skype in a way that allows you to meet your own HIPAA compliance requirements (e.g. auditing).

Skype does argue that it does not need to be a vehicle that enables compliance … just like your cell phone provider and the postal mail service are not.  In fact, Skype provides better security than those other methods of transmitting PHI.

The problem is that this argument doesn’t really hold water very well:

  • Chat. PHI in Skype chat is just like an email message being sent from one party to another and will be cached and/or recorded by Skype.  Use of Skype for ePHI over chat should be strictly avoided.
  • Safeguards Principle.  When we looked at HIPAA compliance for FAX, we saw that encryption and compliance comes down to the “Safeguards principle” of HIPAA: “Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

The Safeguards principle means that if you can reasonably apply measures to ensure privacy, you should absolutely do so.  With analog FAX, that is hard to do in a way that is generally compatible with everyone else.  Since use of FAX may be required and there may be no really feasible way to send them securely, you might choose not to — as long as you take all other reasonable measures to ensure privacy.  This is a risk-benefit analysis you must perform and on which you must make your compliance business decisions.

So, what about Secure Chat?

For a secure, HIPAA-compliant chat solution, you must look to a vendor that offers this service and provides a Business Associate Agreement.  Skype does not pass muster.  Regular text messages (SMS and MMS) certainly do not.

One good solution is SecureChat by LuxSci, as it is HIPAA-compliant, simple, has easy-to-use iOS and Android apps, works in a web browser, and stores all of your chats and attachments permanently and without storage limits.

With video conferencing, the situation is somewhat different:

  1. You are generally not required to use it
  2. There are companies other than Skype that provide video conferencing in a way that allows you to remain HIPAA compliant

Since it is relatively easy to choose a Safeguard that allows you to be more fully compliant with HIPAA when video conferencing, it would be neglectful to instead use Skype for this purpose.

It does come down to the individual organization weighing the risks.  If you choose to use Skype and accept the risk-benefit analysis, that is up to you, but you must be able to justify your decision in your internal HIPAA compliance reviews and be prepared to answer pointed questions from auditors, should the need arise.

What are the alternatives to Skype for Video Conferencing?

There are many organizations that offer video conferencing and which claim HIPAA compliance and/or which offer Business Associate Agreements.  We would recommend choosing one that does offer a Business Associate Agreement – as they are more likely to help you ensure your compliance, rather than just being a company that “provides secure services”.

LuxSci’s SecureVideo is one option which provides a BAA and a service specifically designed to meet the HIPAA-compliance requirements for telehealth.

Want to read more about this?

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries