by Hoala Greevy Founder CEO of Paubox
Article filed in

Is Skype for Business HIPAA compliant?

by Hoala Greevy Founder CEO of Paubox

Is Skype for Business HIPAA Compliant? - Paubox

Given the growing use of technology for communication, many HIPAA entities are interested in knowing whether popular consumer services are HIPAA compliant. Skype for example, is free, easy to learn and widely used. Many HIPAA entities are curious: Is Skype HIPAA compliant?

Is Skype for Business Encrypted?

In the eyes of HIPAA compliance, it’s very hard to tell if Skype meets the HIPAA Security Rule of encrypting its data both in-motion and at-rest. If we look at Skype’s support center, they mention that they “use TLS (transport-level security) to encrypt your messages between your Skype client and the chat service in our cloud…”

What this means is that Skype meets the HIPAA Security Rule for encrypting data in transit, or in-motion.

What is not mentioned however, is if they took precautions to encrypt data stored in their cloud. The HIPAA Security Rule states that protected health information (PHI) must be stored in an encrypted state, or what’s known as at-rest encryption.

Since they don’t explicitly state they provide at-rest encryption, it’s questionable if Skype meets HIPAA encryption requirements.

Does Skype offer Business Associate Agreements?

As we covered in our post about Business Associate Agreement Provisions, vendors that handle PHI for HIPAA entities are required by law to sign Business Associate Agreements. Microsoft, which owns Skype, does not list it as a product covered under the Business Associate Agreements they trumpet to customers.

In fact, an Oklahoma doctor was recently sanctioned for his use of Skype to treat patients. The absence of a Business Associate Agreement by Skype was one of the primary factors that led to his punishment.

I also checked Skype’s community forum and found this question: “Is Skype for Business HIPAA compliant?

One of Skype’s admins replied and said, “Skype hasn’t applied yet for a HIPAA compliance review for any of it’s clients or even the whole system.”

Google Workspace email isn’t HIPAA compliant out of the box either.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Skype is NOT HIPAA Compliant

Skype’s encryption, as it relates to the HIPAA Security rule, is most likely not up to par. In addition, Skype does not offer Business Associate Agreements, nor do they have any near term plans to do so. We also see there is a precedent set for covered entities that are found to be using it to treat patients.

In a nutshell, if you are a covered entity stay away from Skype.

Try Paubox Email Suite for FREE today.