Updated on March 20, 2023.
Given the growing interest in video conferencing services for communicating with patients online, healthcare organizations often come to Bridge Patient Portal, a patient engagement vendor, to ask an important question: Is Skype™ HIPAA compliant?
Previously, there were two versions of Skype™ commercially available: Consumer Skype™ and Skype for Business™. However, this changed when Microsoft discontinued Skype for Business™¹ in favor of Microsoft Teams™.
- Consumer Skype™ is still available for free, and can be used by individuals or smaller businesses.
- Skype for Business™ was used for larger companies and included enterprise-grade security with the ability to manage employee accounts. Microsoft™ retired Skype for Business Online™ on July 31, 2021, and began decommissioning the Skype for Business Online™ infrastructure after June 30, 2022. Support for Skype for Business Server™ is slated to end in 2025. As such, Microsoft™ has urged all businesses using Skype for Business™ to upgrade to Microsoft Teams™.
Microsoft Teams™ (previously Skype for Business™) is integrated with Microsoft’s Office 365™. It offers advanced security and compliance features, but HIPAA compliance is not guaranteed unless certain conditions are fulfilled.
What Does Skype™ or Microsoft Teams™ Need to Be HIPAA Compliant?
Though HIPAA doesn’t distinctly mention any specific types of technologies that healthcare providers can use for video conferencing, all communication channels must comply with the HIPAA guidelines on telemedicine detailed within the HIPAA Security Rule, which stipulates:
- Only authorized users should have access to ePHI.
- A secure communication system should be implemented to guarantee the integrity of ePHI.
- A monitoring system should be implemented for all communications containing ePHI in order to prevent breaches, whether accidental or malicious.
When we ask if Skype™ is HIPAA compliant, there are three key issues to consider:
Consumer Skype™² uses AES (Advanced Encryption Standard), also known as Rijndael. AES 256-bit encryption is used to secure the different channels of communication that take place on the platform (chat sessions, voice calls, and video calls). This encryption level exceeds federal guidelines for transmitting protected health information (PHI), which sets the minimum encryption level as 128-bit.
Skype for Business™ / Microsoft Teams™ encrypts data in transit and at rest, storing data in a secure network of data centers and using Secure Real-time Transport Protocol (SRTP) for video, audio, and desktop sharing.
Recommended: Is Zoom® a HIPAA Compliant Telehealth Software?
The Business Associate Agreement
One of the most compelling reasons against the use of Consumer Skype™ for healthcare provider-patient communication is that Skype™ will not enter into a business associate agreement (BAA). A BAA is required under the HIPAA Omnibus Rule for any entity that creates, receives, maintains, or transmits PHI on behalf of a healthcare provider, health plan, or healthcare clearinghouse.
There is some debate as to whether Skype™ qualifies as a HIPAA business associate due to the “mere conduit” rule, which states that a company is exempt from being a business associate if:
- It only transmits PHI in an encrypted format
- It never has access to the encryption key
The problem with Skype™ is that while the company states that it does not have access to the PHI it transmits, Microsoft™ has been known to provide information to law enforcement. Therefore, Microsoft™ does have access to the encryption key and is considered a business associate.
Another factor to keep in mind is that the Omnibus Rule requires business associates to provide “satisfactory assurances” that PHI will be protected as required by HIPAA rules. However, Skype™ does not state anywhere that its services can be used in a HIPAA compliant way.
Microsoft™ will sign a HIPAA compliant business associate agreement with covered entities for Office 365, which MAY include Skype for Business™ / Microsoft Teams™. Not all BAAs with Microsoft™ are the same, and it is the responsibility of the covered entities to check the agreement and make sure it iincludes Skype for Business™ / Microsoft Teams™.
Audits and Breaches
The HIPAA Security Rule requires covered entities to use technologies that include audit controls³ by “implement[ing] hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information.” Unfortunately, Consumer Skype™ does not offer audit control tools for monitoring who has access to PHI, nor does it provide notifications in the event of a breach.
Both Skype for Business™ and Microsoft Teams™ include management tools that provide a detailed activity report of communications. The activity includes the time, date, duration, and destination number of all calls and texts made, plus details of purchases and downloads. These controls are useful for recording and examining information system activity, especially when determining if a security violation occurred.
In order to implement a HIPAA compliant telehealth solution, providers should require patients to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portals and telehealth platforms include:
The Verdict: Is Skype™ HIPAA Compliant?
While Consumer Skype™ encryption methods are secure, the software overall does not meet HIPAA compliance standards. Organizations that use it to communicate with patients online should be aware of the risks involved and consider alternative HIPAA-compliant video conferencing platforms. If the patient has a preference for using Skype™, be sure that there is a record of the patient’s consent to use non-HIPAA compliant technologies.
Skype for Business™/ Microsoft Teams™ meets the enhanced security and compliance requirements for healthcare organizations and can be made HIPAA compliant, so long as a BAA is in place and the appropriate security features activated and used by the healthcare organization. Because of the replacement of Skype for Business™ by Microsoft Teams™, it is not recommended to attempt to use the former service. When using Microsoft Teams™, however, the healthcare org must still ensure it is covered by a BAA and utilize its appropriate security features. Therefore, it may be easier and more cost-effective to use a dedicated healthcare communication platform instead.
For consultations that do not require video, Bridge Patient Portal offers a HIPAA compliant e-consultation platform. Bridge enables secure messaging and telephone calls between patients and physicians, including integrated VoIP calling. Bridge provides a business associate agreement to the covered entities that they work with, and continuously monitors regulatory requirements to ensure compliance. The platform can also be integrated with a variety of third party video conferencing solutions, facilitating pre-consultation communication, billing, and intake.
Does your patient engagement vendor offer e-consultations? Let Bridge know which software you use and how your experience has been thus far.
To learn more about HIPAA and email/SMS communication, read The Facts about HIPAA and Email/SMS Communication with Patients.
To learn more about HIPAA and healthcare applications, please read our three-part article series:
DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way by the service providers mentioned in this article.
- Microsoft (2023). Skype for Business Online retirement – Microsoft Teams. [online] learn.microsoft.com. Available at: https://learn.microsoft.com/en-us/microsoftteams/skype-for-business-online-retirement.
- Microsoft (n.d.). Does Skype use encryption? | Skype Support. [online] Available at: https://support.skype.com/en/faq/FA31/does-skype-use-encryption.
- HealthITSecurity (2022). HIPAA Technical Safeguards: A Basic Review. [online] HealthITSecurity. Available at: https://healthitsecurity.com/news/hipaa-technical-safeguards-basic-review.