Revision 2016: Since the article was published, Microsoft has started offering a Business Associate Agreement (BAA) for Office 365 Online of which Skype is a part. While online documentation is very unclear, Microsoft has indicated that Skype is covered under this BAA and thus use of Skype can be “HIPAA compliant” as long as you have “Skype for Business” and the signed BAA with Microsoft.
However, Skype lacks many controls and features that are actually required for an organization to be compliant, such as access auditing, backups, and breach reporting. This makes it unclear what the usefulness of its being “covered” under Microsoft’s BAA really is. Microsoft is really just leaving it up to the Skype user to determine if the use of Skype is appropriate without taking any steps to ensure that use of Skype really could be compliant. Additionally, even though Skype is covered under Microsoft’s BAA, the regular, free Skype used by most people is not covered. So, for example, a therapist should under no circumstances have a session with a patient, where that patient is using the regular free Skype program.
Original Article Content:
In conjunction with their use of LuxSci HIPAA-compliant email and web hosting services, many small health care practices often ask us about use of Skype and other video conferencing software for communicating with patients over the Internet.
Is it possible to be HIPAA compliant while using Skype for sending PHI via chat, voice, and/or video? Why? Everyone else is doing it … shouldn’t I thus be able to as well?
The short answer is “no – don’t use Skype” and “there are other options available that offer this capability and allow you to be HIPAA compliant in the process.” For the long answer, read on.
Read the rest of this post »