Is Skype® HIPAA Compliant? What You Should Know

Updated on August 23, 2024.

Given the growing interest in video conferencing services for communicating with patients online, healthcare organizations often come to Bridge, a patient engagement vendor, to ask an important question: Is Skype™ HIPAA compliant? The short answer? No, but… it’s a little more complicated than that. A HIPAA-compliant version of Skype, called Skype for Business Server™, still exists, but it is discontinued, with support ending in 2025. Therefore, healthcare organizations should be looking for alternatives as soon as possible. Let’s break down the differences in Skype versions and what makes a good HIPAA-compliant telehealth platform.

Jump to:

Differences Between Skype And Skype For Business

Is Skype secure enough for HIPAA? It depends on the version you use. Previously, there were two versions of Skype commercially available: Consumer Skype™ and Skype for Business™. However, this changed when Microsoft® discontinued Skype for Business in favor of Microsoft Teams™1.

  • Consumer Skype is still available for free, and can be used by individuals or smaller businesses.
  • Skype for Business was used for larger companies and included enterprise-grade security with the ability to manage employee accounts. Microsoft retired Skype for Business Online on July 31, 2021. Support for Skype for Business Server is slated to end in 2025. As such, Microsoft has urged all businesses using Skype for Business to upgrade to Microsoft Teams.
  • Microsoft Teams is integrated with Microsoft’s Office 365™ and 365 Cloud™. It offers advanced security and compliance features, but HIPAA compliance is not guaranteed unless certain conditions are fulfilled. Read more about whether Microsoft Teams is HIPAA compliant.

Explore: HIPAA compliance And Telemedicine

What Features Do Skype Or Microsoft Teams Need To Be HIPAA Compliant?

Though HIPAA doesn’t distinctly mention any specific types of technologies that healthcare providers can use for video conferencing, all communication channels must comply with the HIPAA guidelines on telemedicine detailed within the HIPAA Security Rule, which stipulates:

  • Only authorized users should have access to electronic protected health information (ePHI).
  • A secure communication system should be implemented to guarantee the integrity of ePHI.
  • A monitoring system should be implemented for all communications containing ePHI in order to prevent breaches, whether accidental or malicious.

When we ask is “Skype HIPAA compliant?”, there are three key issues to consider:

Is Skype HIPAA Compliant?

Are Skype Calls Encrypted?

Consumer Skype is a voice over internet protocol (VoIP) that uses Advanced Encryption Standard (AES), also known as Rijndael. AES 256-bit encryption is used to secure the different channels of communication that take place on the platform (chat sessions, voice calls, and video calls)2. This encryption level exceeds federal guidelines for transmitting protected health information (PHI), which sets the minimum encryption level as 128-bit.

Skype for Business/Microsoft Teams encrypts data in transit and at rest, storing data in a secure network of data centers and using Secure Real-time Transport Protocol (SRTP) for video, audio, and desktop sharing.

Recommended: Is Zoom® a HIPAA-Compliant Telehealth Software?

The Business Associate Agreement (BAA)

One of the most compelling reasons against the use of Consumer Skype for healthcare provider-patient communication is that Skype will not enter into a business associate agreement (BAA). A BAA is required under the HIPAA Omnibus Rule for any entity that creates, receives, maintains, or transmits PHI on behalf of a healthcare provider, health plan, or healthcare clearinghouse.

There is some debate as to whether Skype qualifies as a HIPAA business associate due to the “mere conduit” rule, which states that a company is exempt from being a business associate if:

  • It only transmits PHI in an encrypted format

AND

  • It never has access to the encryption key

The problem with Skype is that while the company states it does not have access to the PHI it transmits, Microsoft has been known to provide information to law enforcement. Therefore, Microsoft does have access to the encryption key and is considered a business associate.

Another factor to keep in mind is that the Omnibus Rule requires business associates to provide “satisfactory assurances” that PHI will be protected as required by HIPAA rules. However, Skype does not state anywhere that its services can be used in a HIPAA-compliant way.

Microsoft will sign a HIPAA compliant business associate agreement with covered entities for Office 365, which MAY include Microsoft Teams. Not all BAAs with Microsoft are the same, and it is the responsibility of the covered entities to check the agreement and make sure it includes Microsoft Teams. 

Skype HIPAA Compliant

Audits And Breaches

The HIPAA Security Rule requires covered entities to use technologies that include audit controls by “implement[ing] hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information3.” Unfortunately, Consumer Skype does not offer audit control tools for monitoring who has access to PHI, nor does it provide notifications in the event of a breach. But can Skype for Business be monitored? 

Both Skype for Business and Microsoft Teams include management tools that provide a detailed activity report of communications. The activity includes the time, date, duration, and destination number of all calls and texts made, plus details of purchases and downloads. These controls are useful for recording and examining information system activity, especially when determining if a security violation occurred.

Recommended: Is WhatsApp® a HIPAA-compliant telemedicine software?

In order to implement a HIPAA-compliant telehealth solution, providers should require patients to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portals and telehealth platforms include:

The Verdict: Is Skype HIPAA Compliant?

While Consumer Skype encryption methods are secure, the software overall does not meet HIPAA compliance standards. Organizations that use it to communicate with patients online should be aware of the risks involved and consider alternative HIPAA-compliant video conferencing platforms. If the patient has a preference for using Skype, ensure that there is a record of the patient’s consent to use non-HIPAA-compliant technologies.

Skype for Business/Microsoft Teams meets the enhanced security and compliance requirements for healthcare organizations. It can be made HIPAA compliant, so long as a BAA is in place and the appropriate security features are activated and used by the healthcare organization. Because Skype for Business has been replaced by Microsoft Teams, it is not recommended to attempt to use the former service.

However, when using Microsoft Teams, the healthcare organization must still ensure it is covered by a BAA and utilize its appropriate security features. Otherwise, it will be liable for any breaches of HIPAA. Therefore, it may be easier and more cost-effective to use a dedicated healthcare communication platform instead. 

Get HIPAA-Compliant Telehealth Software With BridgeInteract

BridgeInteract offers a HIPAA-compliant telehealth platform as part of a comprehensive, modular suite of patient engagement software tools by Bridge. Bridge Virtual Care enables secure messaging and telephone calls between patients and physicians, including HIPAA-compliant VoIP calling and video visits.

Bridge provides a business associate agreement to the covered entities it works with and continuously monitors regulatory requirements to ensure compliance. The platform seamlessly integrates with your electronic health records (EHR), facilitating scheduling, billing, and intake.

BridgeInteract is SOC 2 certified, reflecting its dedication to the highest data security standards. The platform employs robust encryption, advanced firewalls, and HIPAA-compliant cloud services to safeguard client data and patient information.

In addition, BridgeInteract is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services.* To know more about the certified module, please check https://www.bridgeinteract.io/certifications/ 

Does your patient engagement vendor offer HIPAA-compliant telemedicine? Contact us to learn how we can help you deliver a better patient experience with BridgeInteract.

REQUEST A DEMO

 

More Resources:

To learn more about HIPAA and email/SMS communication, read The Facts About HIPAA And Email/SMS Communication With Patients.

To learn more about HIPAA and healthcare applications, please read our three-part article series:

To find out more about HIPAA and telecommunications software, explore our series on HIPAA compliance and popular platforms:

*This certification does not represent an endorsement by the US Department of Health and Human Services.

DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way by the service providers mentioned in this article.

Sources:

  1. Microsoft (2023). Skype for Business Online retirement – Microsoft Teams. [online] learn.microsoft.com. Available at: Link. Accessed August 21, 2024. ↩︎
  2. Microsoft (n.d.). Does Skype use encryption? | Skype Support. [online] Available at: Link. Accessed August 21, 2024. ↩︎
  3. US Department of Health and Human Services. (2022). HIPAA for Professionals: The Security Rule. [online] Available at: Link. Accessed August 21, 2024. ↩︎
Blake Rodocker
Blake Rodocker

Director Of Business Development Blake joined Bridge Patient Portal in 2016 after transferring from our parent company, Medical Web Experts. With over 10 years of sales and management experience, Blake is a results-driven professional, passionate about driving collaboration with clients, partners, and internal teams. Throughout his time at Bridge Patient Portal, Blake has demonstrated his versatility and dedication by actively collaborating with various departments within the organization, streamlining processes, and optimizing efficiency. Blake studied business administration at Thompson Rivers University in Kamloops, British Columbia, and completed a Health Information Curriculum and Training for Transformation (HICATT) program and GCP sales certification.