" microsoft Archives - LuxSci

Posts Tagged ‘microsoft’

Is Microsoft Teams HIPAA-Compliant?

Tuesday, July 12th, 2022

Microsoft Teams is a unified communication platform with workplace chat, video conferencing, and file-sharing tools. It’s a popular program for internal workplace communications. However, healthcare organizations may wonder if they can use it while complying with HIPAA.

Microsoft Teams is designed to work with Microsoft 365 and additional Microsoft products. As readers of this blog may know, Microsoft 365 email products can be used in a HIPAA-compliant manner, but they require additional security configurations to meet compliance requirements. In the same way, organizations must take additional steps to secure Microsoft Teams.

microsoft teams hipaa-compliant

Business Associate Agreement

As we have discussed before, a business associate agreement (BAA) is required for any vendor that will process ePHI on a company’s behalf. These agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the parties.

BAAs are absolutely necessary for HIPAA compliance. Even if Microsoft Teams is correctly configured with the necessary security controls, it would still violate HIPAA if a signed BAA was not in place. If an organization already has a BAA with Microsoft, they should confirm that using Teams is allowed before implementing it. This means that free Microsoft Teams accounts are not HIPAA-compliant.

Configure Security Settings

As mentioned above, using Microsoft Teams in a HIPAA-compliant manner involves more than signing the BAA and downloading the application. The organization must comply with the HIPAA Security Rule, which involves:

  • Ensuring the confidentiality, integrity, and availability of all electronic PHI.
  • Detecting and safeguarding against anticipated threats to the security of the information.
  • Protecting against anticipated, impermissible uses or disclosures.
  • Certifying compliance by the workforce.

Covered entities are responsible for putting the proper controls and reporting mechanisms in place to protect PHI. That includes employing the various safeguards available in the Microsoft Teams platform, such as:

  • Implementing user access controls
  • Requiring multifactor authentication and single sign-on (SSO) for user logins
  • Encrypting data in transit and at rest
  • Tracking and investigating specific activities using audit logs

Note that some features of Microsoft Teams may not be available when the platform is configured for compliance. It’s up to an organization’s IT and compliance teams to implement and enforce the proper technical controls.

Create Policies and Educate Users

Just because Microsoft Teams can be used to transmit ePHI, it doesn’t mean that’s always the best choice. Administrators should create policies that discuss how and when ePHI can be transmitted through Teams. For example, to reduce risk, it may be wise to keep heavy ePHI items like lab results out of the messaging application.

In addition, organizations should determine which devices employees can use Teams on. If allowed to install Teams on their personal devices, the IT and compliance teams must develop policies and institute controls that can remotely wipe and disable personal devices if lost or stolen to prevent unauthorized ePHI access.

Microsoft Teams can make intra-office communication much more straightforward, but it’s essential to determine what is and isn’t allowed before rolling it out to employees. EPHI is very nuanced, and to protect data, it’s essential to thoroughly understand the risks involved with a new communications platform.

Is Skype HIPAA Compliant? If not, what is?

Saturday, May 9th, 2020

In recent times we have seen a huge push toward telehealth, so many are wondering, “Is Skype HIPAA compliant?” While Skype is a practical tool that many people have access to, it’s important to consider any regulatory obligations you need to meet before you use it.

If your business collects, stores, transmits or processes electronic protected health information (ePHI), then it is subject to HIPAA regulations. Organizations that process ePHI on behalf of other parties also need to stick within the rules, otherwise they may face heavy fines.

Regardless of whether your organization provides health services through video or it uses video platforms to process ePHI in any other way, it needs to make sure it is using software that abides by the regulations.

Wondering, “Is Skype HIPAA compliant?” is a good starting point, but there are several things to consider before you commit to a video conferencing service.

Do You Need a BAA to Make Skype HIPAA Compliant?

A business associates agreement (BAA) is a contract between your organization and any others that process its data. In essence, these agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the two parties.

BAAs are absolutely necessary for HIPAA compliance. Even if your organization and its partner share ePHI with every control and security mechanism imaginable, as well as following all other aspects of the regulations, it would still be violating HIPAA if a signed BAA was not in place.

If your organization is going to be sharing ePHI over a video service, then it needs to be HIPAA-compliant.* However, the only way that it can be HIPAA compliant is if a BAA is in place.

Is Only the Business Version of Skype HIPAA Compliant?

Skype comes in several different versions, but the basic, consumer oriented one is not HIPAA compliant. The only type that offers BAAs and which could be made HIPAA compliant is Skype for Business, which is one of Microsoft Office’s business communication tools.  Note that “Skype for Business” is a completely different service than consumer Skype. 

However, it’s also worth noting that Skype for Business is currently being phased out in favor of Microsoft Teams. If you don’t already have a supported version of Skype for Business, you should look for HIPAA-compliant alternatives instead. Support for Skype for Business Online ends in 2021, while support for Skype for Business Server will be extended until 2025.

With this in mind, it’s probably not worthwhile pursuing any version of Skype for HIPAA compliance. If you use the basic version of Skype, you will be violating the regulations, and even if you can get Microsoft to sign a Skype for Business BAA, you may have to switch your software in 2021 anyway.

HIPAA-Compliant Alternatives to Skype

Considering that Skype for Business doesn’t have much time left and that it is not even the same as “regular Skype,” your organization will be better off finding a HIPAA-compliant alternative. One option is LuxSci’s SecureVideo, which was designed specifically to make it easy to stay within the regulations.

SecureVideo was developed from the ground up with HIPAA compliance in mind, ensuring that it became a practical video calling service that made security and compliance simple. The Zoom for Healthcare-based platform is great for telemedicine and other forms of sharing ePHI.

SecureVideo includes handy features like screen-sharing, file-sharing, and virtual clinics, with a capacity of up to 100 participants. This makes LuxSci’s SecureVideo a convenient and compliant alternative to Skype.

 

* During the Covid-19 pandemic, HHS has waived responsibility for breaches through non-compliant video conferencing services, like Skype. So, while Skype may not be compliant, it is OK to use during the pandemic. However, as the pandemic subsides and this waiver is lifted, you should have transitioned to a service that is actually HIPAA compliant.