Is Skype HIPAA Compliant?
Skype is owned by Microsoft and is part of Office 365. Microsoft does
offer a Business Associate Agreement (BAA) for Office 365 which
technically covers Skype for Business (but not regular Skype).
However, Skype lacks many controls and features that are actually
required for an organization to be HIPAA-compliant, such as access
auditing, backups, and breach reporting. This makes it unclear what the
usefulness of its being "covered" under Microsoft's BAA really is.
Microsoft is really just leaving it up you to determine if the use of
Skype is appropriate without taking any steps to ensure that use of Skype
really meets all of HIPAA's requirements. Additionally, even though Skype
is covered under Microsoft's BAA, the regular, free Skype used by most
people is not covered. So, for example, a doctor should under no
circumstances have a session with a patient, where that patient is using
the regular free Skype program. This patient must use the web
browser-based business Skype interface in order to be covered.
Alternative to Skype: SecureVideo
LuxSci's SecureVideo service was built to be HIPAA compliant and in
fact provides better video quality in one-on-one video calls and in group
video teleconferencing. LuxSci SecureVideo:
- Is Covered by LuxSci's HIPAA Business Associate Agreement
- Supports real-time group video conferencing with many participants
- Supports recording of video sessions
- Has a work flow designed for scheduled video sessions
- Includes unlimited usage
- Virtual clinic for access to remote medical providers
- Works from desktop and iOS/Android devices.
Some background on Skype
When considering if Skype can be used in a HIPAA-compliant manner, there are many relevant items to consider:
- Encryption: Skype uses AES 265-bit encryption for securing the chat sessions and the voice and video phone calls. This level of encryption is beyond sufficient for encrypting the transmission of ePHI.
- Wire Tap: It is well known that many countries can "wire tap" Skype
communications so that they can record calls, videos, and chats.
Changes that Microsoft has made to Skype make it easier for them to wire tap communications, in general and domestically. it is also well known that the
NSA can wire tap Skype video calls.
- HIPAA Requirements: Use of Skype does not:
- Provide audit trails of usage
- Provide notifications in case of a breach
- Offer technical support and frequently dropped calls may cause problems for some organizations (e.g. in terms of emergency access, etc.)
- Provide archives of chats or video
- Provide administrative emergency access to previous chat histories
So, what does this mean?
These items taken together mean that:
- While Skype uses a strong level of encryption, the privacy of data sent via Skype is suspect
- Copies of calls, chats, and videos could be stored in unknown locations as a result of wire taps or other undisclosed recording by Skype, Microsoft, or government officials
- non-Business Skype does not claim any kind of HIPAA compliance and will not sign a required Business Associate Agreement
- Skype does not provide the tools to use Skype in a way that allows you to meet your own HIPAA-compliance requirements (e.g. auditing and archival/backup).
- Skype does argue that it does not need to offer compliance tools and is a vehicle for communications --- just like your cell phone provider and the postal mail service are not.
In fact, Skype provides better security than those other methods of transmitting PHI. This argument is inaccurate as
Skype is not a "common carrier;" it is a Software-as-a-service provided through Microsoft.
The problem is that this argument doesn't really hold water very well:
- Chat. PHI in Skype chat is just like an email message being sent from one party to another and will be cached and/or recorded by Skype. Use of Skype for ePHI over chat should be strictly avoided.
- Safeguards Principle. When we looked at HIPAA compliance for FAX, we saw that encryption and compliance comes down to the "Safeguards principle" of HIPAA: "Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure."
The Safeguards principle means that if you can reasonably apply
measures to ensure privacy, you should absolutely do so. With analog FAX,
that is hard to do in a way that is generally compatible with everyone
else. Since use of FAX may be required and there may be no really
feasible way to send them securely, you might choose not to -- as long as
you take all other reasonable measures to ensure privacy. This is a
risk-benefit analysis you must perform and on which you must make your
compliance business decisions.
What about Secure Chat?
For a secure, HIPAA-compliant chat solution, you must look to a vendor
that offers this service and provides a Business Associate Agreement and
all of the appropriate security controls specified by HIPAA. Skype does
not pass muster. Regular text
messages (SMS and MMS) certainly do not.
With video conferencing, the situation is somewhat different:
- You are generally not required to use it
- There are companies other than Skype that provide video
conferencing in a way that allows you to remain HIPAA compliant in a
Since it is relatively easy to choose a Safeguard that allows you to be
more fully compliant with HIPAA when video conferencing, it would be
neglectful to instead use Skype for this purpose.
It does come down to the individual organization weighing the risks. If
you choose to use Skype and accept the risk-benefit analysis, that is up
to you, but you must be able to justify your decision in your internal
HIPAA compliance reviews and be prepared to answer pointed questions from
auditors, should the need arise.
What are the alternatives to Skype for Video Conferencing?
There are many organizations that offer video conferencing and which
claim HIPAA compliance and/or which offer Business Associate Agreements.
LuxSci's SecureVideo is one option which
provides a BAA and a service specifically designed to meet the
HIPAA-compliance requirements for telehealth.