Updated on June 5, 2020.
Given the growing interest in video conferencing services for communicating with patients online, healthcare organizations often come to Bridge Patient Portal, a patient engagement vendor, with questions about the use of Skype® for telemedicine, and is Skype HIPAA Compliant? Here we will focus on two “types” of Skype: Consumer Skype® and Skype for Business®. Consumer Skype® is free and can be used by individuals or smaller businesses. Skype for Business® is for larger companies with enterprise-grade security and allows you to manage employee accounts. Here we will focus on two “types” of Skype: Consumer Skype and Microsoft Teams (previously Skype for Business).
Though HIPAA doesn’t specifically mention the types of technologies that healthcare providers can use for video conferencing, there are three key issues to consider.
Skype HIPAA Compliant
Consumer Skype® uses AES (Advanced Encryption Standard), also known as Rijndael. AES 256-bit encryption is used to secure the different channels of communication that take place on the platform (chat sessions, voice calls, and video calls). This encryption level exceeds federal guidelines for transmitting protected health information (PHI), which sets the minimum encryption level as 128-bit.
Skype for Business® / Microsoft Teams® encrypts data in transit and at rest, storing data in a secure network of data centers and using Secure Real-time Transport Protocol (SRTP) for video, audio, and desktop sharing.
The Business Associate Agreement
One of the most compelling reasons against the use of Consumer Skype® for healthcare provider-patient communication is that Skype® will not enter into a business associate agreement (BAA). A BAA is required under the HIPAA Omnibus Rule for any entity that creates, receives, maintains, or transmits PHI on behalf of a healthcare provider, health plan, or healthcare clearinghouse.
There are some debates as to whether Skype® qualifies as a HIPAA business associate due to the “mere conduit” rule, which states that a company is exempt from being a business associate if:
- It only transmits PHI in an encrypted format
- It never has access to the encryption key
The problem with Skype® is that while the company states that it does not have access to the PHI that it transmits, it has been known to provide information to law enforcement. Therefore, Skype does have access to the encryption key and is considered a business associate.
Another factor to keep in mind is that the Omnibus Rule requires business associates to provide “satisfactory assurances” that PHI will be protected as required by HIPAA rules. However, Skype® does not state anywhere that its services can be used in a HIPAA-compliant way.
Skype for Business® / Microsoft Teams® offers qualified companies or their suppliers a BAA that covers in-scope Microsoft services such as Skype for Business® / Microsoft Teams®.
Audits and Breaches
The HIPAA Security Rule requires covered entities to use technologies that include audit controls by “implement[ing] hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information.” Unfortunately, Consumer Skype® does not offer audit control tools for monitoring who has access to PHI, nor does it provide notifications in the event of a breach.
Within Skype for Business® / Microsoft Teams®, Skype Manager® provides a detailed activity report of Skype® usage. The activity includes the time, date, duration, and destination number of all calls and texts made and details of purchases and downloads. These controls are useful for recording and examining information system activity, especially when determining if a security violation occurred.
The Verdict: Is Skype HIPAA Compliant?
While Consumer Skype® encryption methods are secure, overall, it does not meet HIPAA compliance standards. Organizations that use the software to communicate with patients over the internet should be aware of the risks involved and consider using specialized, HIPAA-compliant video conferencing platforms. If the patient has a preference for using Skype®, be sure that there is a record of the patient’s acceptance to use non-HIPAA compliant technologies.
Skype for Business® / Microsoft Teams® ticks all the boxes when it comes to HIPAA compliance. Skype for Business® / Microsoft Teams® meets the enhanced security and compliance requirements for healthcare organizations and is, therefore, HIPAA compliant.
For consultations that do not require video, Bridge Patient Portal offers a HIPAA-compliant e-consultation platform. Bridge allows for two types of secure communication between patients and physicians: secure messaging and telephone calls, including integrated VoIP calling. Bridge provides a business associate agreement to the covered entities that they work with and continuously monitors regulatory requirements to ensure compliance. The platform can also be integrated with a variety of 3rd party video conferencing solutions, facilitating pre-consultation communication, billing, and intake.
Does your patient engagement vendor offer e-consultations? Let Bridge know which software you use and how your experience has been thus far.
To learn more about HIPAA and email/SMS communication, read our article: The Facts about HIPAA and Email/SMS Communication with Patients.
To learn more about HIPAA and healthcare applications, please read our three-part article series:
- HIPAA and Healthcare Applications, Part 1 of 3: What You Need to Know About User Authentication
- HIPAA and Healthcare Applications, Part 2 of 3: What You Need to Know About Auditing
- HIPAA and Healthcare Applications, Part 3 of 3: What You Need to Know About Data Transfer