Text messaging platforms such as Skype was one of the first platforms that allowed businesses to conduct meetings virtually; as such, it is a well-liked tool for many businesses. As you surely know, one of the purposes of HIPAA, a law initially passed to order the flow of protected health information (PHI).
Recently, many health practices use Skype to telehealth and telemedicine to treat their patients. However, before it is allowable to make use of teleconferencing tools, HIPAA covered entities and business acquaintances make sure that the tool is HIPAA compliant. But does Skype satisfy all requirements of HIPAA Rules?
Skype is also not a common carrier; it is software-as-service. There is currently some dispute adjacent Skype for business HIPAA compliance. Skype includes security features to avoid unofficial access of data transmitted via the platform and messages are encrypted. If your organization is going to be sharing electronic protected health information (ePHI) over a video service, then it needs to be HIPAA-compliant.
However, the only way that it can be HIPAA compliant is if a business associate’s agreement (BAA) is in place. HIPAA requires all specially defined business associate sign a contract stating that they will keep your data secret. Skype encrypt their data, probably at a level that is strict enough to meet HIPAA guidelines. Skype doesn’t automatically consist appropriate controls for communications back up; also doesn’t it maintain a compliant audit-trail, as authorized by HIPAA standards.
Is Skype HIPAA compliant or not?
As a standalone application, the free version of Skype does not comply with HIPAA agreement rules. So, for healthcare organizations that rely on Skype – let this be your advice to never send ePHI via Skype. However, there may be a workaround if healthcare organizations use Skype for Business instead of the basic app.
Or for organizations using Skype for Business – like many of our customers – the platform can be made to superior support HIPAA compliance – but only if it is configured appropriately. Even with a BAA and the appropriate package, there is still prospective for HIPAA Rules to be breached using Skype for Business. Note that “Skype for Business” is a totally different service than consumer Skype.