While Skype, in its general form, cannot be unequivocally deemed HIPAA compliant due to unresolved questions surrounding its classification as a business associate, potential law enforcement disclosures, and deficiencies in message backup controls and audit trails, the Skype for Business variant, especially with the Enterprise E3 or E5 packages, offers a pathway to compliance contingent on meticulous configuration, a business associate agreement with Microsoft, and adherence to stringent access controls, emphasizing the need for healthcare organizations to explore alternative secure messaging options tailored for the healthcare sector.
The question of whether Skype qualifies as a business associate under HIPAA continues to be the subject of considerable debate. The Conduit Rule exemption for Skype implies that it acts only as a channel for transmitting data, based on the idea that it does not actively manage PHI on behalf of a covered entity. The confusion arises as Skype, although not creating PHI, does help in the transmission of such sensitive information. The encrypted nature of messages adds another layer of complexity, as it prompts scrutiny regarding the platform’s classification, especially in situations where law enforcement requests for information may require decryption.
Microsoft’s compliance with law enforcement requests, coupled with the potential information disclosure through decryption, casts doubt on whether Skype genuinely aligns with the conduit exception. This uncertainty is further emphasized by Skype’s distinction as a software-as-service rather than a common carrier, contributing to the prevailing consensus that Skype should be categorized as a business associate. This classification, in turn, highlights the need for covered entities to establish a comprehensive business associate agreement with Microsoft to ensure compliance with HIPAA regulations.
While Microsoft offers HIPAA-compliant business associate agreements for its broader suite, the inclusion of Skype for Business in these agreements is not uniform. Covered entities are compelled to meticulously scrutinize these agreements to determine whether Skype, with its distinct features and functionalities, is explicitly covered. The complexities of these agreements with Microsoft add a layer of difficulty to achieving compliance, emphasizing the need for careful consideration and legal diligence on the part of healthcare organizations.
Examining Skype’s encryption practices, a key component of HIPAA compliance, reveals that messages are encrypted using AES 256-bit encryption, aligning with the stringent security requirements mandated by HIPAA. Despite this, deficiencies arise from message backup controls and the absence of a robust audit trail. To address these shortcomings, Skype for Business, particularly in the Enterprise E3 or E5 packages, emerges as a potential solution by providing features such as communication archives. However, it remains unclear whether other versions of Skype meet the stringent HIPAA compliance standards adequately.
Skype in its standard iteration cannot be unequivocally deemed HIPAA compliant. However, the Skype for Business variant, integrated with the Enterprise E3 or E5 packages, offers a pathway to compliance. Covered entities bear the responsibility of meticulously adhering to regulations by formalizing business associate agreements with Microsoft before incorporating Skype for Business into their workflows. Rigorous configuration of Skype, implementation of stringent access controls, and assurances of breach alerts from Microsoft become necessary for maintaining compliance. Despite these efforts, the inherent potential for breaching HIPAA Rules using Skype for Business demonstrates the importance of healthcare organizations exploring more specialized and secure alternatives tailored explicitly for the unique demands of the healthcare sector.
Assessment of Skype’s HIPAA Compliance:
| Aspect | Evaluation |
|---|---|
| Skype HIPAA Compliance (General Form) | Not unequivocally compliant due to unresolved questions on business associate classification, potential law enforcement disclosures, and deficiencies in backup controls and audit trails. |
| Business Associate Status | Subject to debate; Conduit Rule exemption considered, but uncertainty arises given Skype’s role in PHI transmission and encrypted messages. |
| Microsoft Business Associate Agreement Inclusion | Not uniform; Covered entities must scrutinize agreements to confirm coverage for Skype for Business, adding complexity to achieving compliance. |
| Encryption Practices | Messages encrypted using AES 256-bit encryption, meeting HIPAA’s security requirements. |
| Message Backup Controls and Audit Trails | Deficiencies identified; Skype for Business in Enterprise E3 or E5 packages addresses these issues with communication archives. |
| Skype for Business Compliance Pathway | Offers a potential pathway to compliance when coupled with meticulous configuration, a business associate agreement with Microsoft, and stringent access controls. |
| Considerations for Covered Entities | Emphasizes the need for careful consideration, legal diligence, and exploration of alternative secure messaging options tailored for the healthcare sector. |
| Overall Compliance Assessment | Skype, in its standard form, is not HIPAA compliant; compliance achievable with Skype for Business (Enterprise E3 or E5) contingent on stringent measures and alternative exploration. |