Skype is one of the most popular communication apps out there. It allows for easy video and audio calls as well as instant messaging between individuals and groups. That’s why many have wondered if Skype can also be used as a means of communication between healthcare professionals and their patients. 

The truth is, if online communication involves the exchange of protected health information (PHI), the communication channel used needs to comply with HIPAA rules, which deal with the safety and privacy of such information. The violation of HIPAA can result in enormous fines.

Whether Skype is HIPAA compliant is still a matter of some debate. This is difficult to determine as the platform was not built for the purposes of exchanging sensitive medical information in the first place. It is much better to turn to a trusted telemedicine platform such as Curogram, which we designed carefully with HIPAA regulations in mind.

This article will explore how Skype fits into the HIPAA framework and whether it can be used for communication between medical staff and patients.

Do you need a business associate agreement (BAA) with Skype?

As a medical practice, if you want to conduct your business over Skype, you first need to understand how the law sees this platform in terms of sharing PHI. 

What are business associates?

If you’re using the services of a third-party provider that involve them having access to your patients’ PHI, this provider is considered your business associate (BA) under HIPAA. In that case, they need to sign a business associate agreement with you. The U.S. Department of Health and Human Services (HSS) provides a sample contract that you can use. This contract extends your HIPAA responsibilities to them as they also have access to sensitive patient information and need to keep it safe.

What is the Conduit Rule?

Most communication channels are considered BAs. There is an exception though, known as the Conduit Rule, and it applies to transmission-only services. The Conduit Rule allows covered entities to use the services of a provider without entering into a BAA. This rule applies if the provider transmits PHI or electronic PHI (ePHI) but doesn’t have access to it and doesn’t store it. The example of these are internet service providers (ISPs).

Where does Skype fit in?

Some argue that Skype should be considered an exception under the Conduit Rule as it’s only a medium through which the information flows. All the information is encrypted, as well. The question is can Microsoft, the owner of Skype, decrypt and access the correspondence?

Microsoft is obliged to comply with legal requests for access to Skype correspondences. In order to do so, they would need to have the key to the encrypted communication themselves. This disqualifies Skype for the conduit exception regardless of whether Microsoft refrains from accessing the information or not.

We believe Skype is considered a BA, and you need to enter into a written agreement with Microsoft if you want to use Skype for transmitting PHI. At this point, it goes without saying that the free version of the platform can’t be HIPAA compliant. Skype for Business is your only potentially viable option.

According to Microsoft’s compliance page, you can enter into a BAA with them for Office 365 as a covered entity, but it is unclear whether Skype for Business would be included in the agreement at all.

Does Skype comply with the HIPAA Security Rule?

According to the HIPAA Security Rule, both HIPAA-covered entities (you) and their BAs (Skype in this case) need to safeguard and protect PHI. We will explore if Skype has the capacity to implement all the technical safeguards required under HIPAA, including:

• Access controls
• Automatic logoff
• Audit controls
• Integrity controls
• Encryption and decryption
• Transmission security

Access controls

When it comes to access control, Skype users do have unique identifiers required under the Security Rule of HIPAA that allow them to access their profiles. This includes both medical personnel and patients. The unique identifiers, in this case, are either Skype usernames, emails, or phone numbers.

The problem is that there should also be some procedures that govern the access of PHI in an emergency. What constitutes an emergency for you should be clearly defined in the business agreement. In essence, an emergency is:

1. Anything that can prevent access to sensitive patient data
2. Anything that can lead to the loss, breach, or corruption of patient data

Power outages and cyber-attacks are some examples of emergencies. The free version of Skype can’t help you much in these situations as it doesn’t back up any of your information (including electronic PHI). It merely stores your chats, recordings, and items you have shared, but the duration it’s available for varies. You need to be careful and find a backup solution if you don’t want to lose important files.

Here’s how long everything is stored in your chat history:

Apart from backup, there must also be clearly defined procedures that determine who can access the data in an emergency and in what way. Needless to say that if there’s no backup with Skype, there’s no emergency backup plan either.

Skype for Business is more flexible in this regard and can be made HIPAA compliant (at least when it comes to backup). If you go for Office 356 E3 or E5 packages, you’ll be able to create an archive to store all your communication, including ePHI.

Automatic logoff

Automatic logoffs are another addressable function prescribed by HIPAA. This feature represents an important aspect of preventing unauthorized access to ePHI. 

After a period of inactivity, an electronic session should end automatically. This is a great safeguard in case someone forgets to log out after a telemedicine session with a patient and compromises their sensitive information this way.

The free version of Skype doesn’t offer this option at all. If you purchase an E3 or E5 Skype for Business package, you can enable the logoff feature. It is important to note that this feature won’t be available by default, and it is your responsibility to make your Skype package HIPAA compliant in this respect.

Audit controls

HIPAA requires all covered entities and BAs to maintain activity logs. These are reports that give you insight into the sequence of all the events that took place in an app. They are otherwise known as audit trails. They should provide information about each access or attempted access to PHI as well as any changes introduced to the relevant data.

Skype doesn’t maintain an audit trail required to be considered HIPAA compliant. You won’t be able to see if any third party has accessed your Skype account or tampered with your data stored there, including sensitive patient information. Your audio or video telemedicine sessions with patients might also get compromised, and you won’t have any way of knowing this without activity logs.

Utilizing third-party logging apps, such as Loggly, could be a great solution for storing non-PHI logs, but this is not an option with PHI-related logs. Involving yet another party in the maintenance of your PHI would mean entering into another BAA and having to figure out if the entity is HIPAA compliant in the first place all over again.

Not maintaining an audit trail is one of Skype’s greatest misgivings, and it represents a serious impediment in even beginning to consider this platform HIPAA compliant.

Integrity controls

Integrity control refers to setting mechanisms in place to aid in:

1. The authentication of ePHI
2. The authentication of the identity of persons trying to access ePHI

The authentication of ePHI means being able to determine whether patient information has been altered in an unauthorized way or even destroyed. If the integrity of this data is compromised, this could lead to serious consequences for patients’ health as well as for your medical practice.

Skype has no mechanisms in place that could help you keep the integrity of ePHI intact. That means that anyone can make unauthorized changes to it. These changes could be done purposely or unintentionally and can also result from electronic failures independent of human intervention.

The authentication of persons trying to access ePHI means confirming that the user who wishes to log in is who they claim to be. Aside from using identifiers, such as email addresses, usernames, or phone numbers, there has to be an additional proof of identity in the form of something known only to that person. These are usually passwords or PIN codes.

Skype has this part of authentication covered. If you want to log into your account, you need to enter a unique password.

Encryption and decryption

Encryption is advised by HIPAA, but it is not required. However, encryption is so widespread nowadays that it would be ludicrous not to utilize it.

HIPAA does obligate you to use technical measures to protect ePHI from being accessed by unauthorized parties, be it encryption or something else. This responsibility transfers to your BA as well since you should both strive to keep patient data safe.

Skype meets this standard by utilizing AES 256-bit encryption. This is generally considered a high level of protection. Whether you’re chatting or using Skype-to-Skype video or audio calling, the data you and your patients transmit is encrypted and unreadable to anyone who doesn’t have direct access to this communication.

Beware of Skype’s option to make Skype-to-phone calls, though. In this type of communication, your data is not protected by encryption and can be intercepted and misused.

The rules are a bit more strict if you’re a federal agency. The federal government has a set of Federal Information Processing Standards (FIPS) in place. Advanced encryption that Skype uses, or AES, satisfies a part of these requirements, but not all of them. This means that federal agencies can’t use Skype for telemedicine or telehealth, and neither can their contractors and vendors.

Transmission security and EHR integration

Transmission security standard implies that there should be technical security measures in place to protect PHI from unauthorized access during its transmission over electronic networks. These measures come down to two safeguards we have already mentioned:

1. Integrity controls
2. Encryption

Integrity control in this context means that the integrity of ePHI needs to be protected during transmission. As we have said, Skype communication is encrypted, except when it comes to Skype-to-phone calls.

On top of that, Skype does not integrate with your EHR, which means that even if you were to send sensitive documents, you’d have to grab them from your EHR first. Curogram can integrate with any EHR in 48 hours and offer secure document transfer, as well as workflows that doctors and other medical personnel are already used to.

Does Skype comply with the HIPAA Privacy Rule?

The Privacy Rule doesn’t directly concern BAs, but all its provisions that apply to covered entities automatically extend to their BAs. This is because the ultimate goal of this rule is to protect the privacy of ePHI, and all involved parties have to work toward it.

The Privacy Rule boils down to the following provision: covered entities and BAs mustn’t use, access, or disclose ePHI without the explicit consent of the individual unless it’s for the purposes of medical treatment, payment, or other healthcare operations.

As we have mentioned, Microsoft may be legally required to disclose your private communication (including ePHI) to law enforcement. Not even HIPAA argues against this kind of disclosure. Yours and your patients’ Skype data should otherwise remain private.

Does Skype comply with the HIPAA Breach Notifications Rule?

The Breach Notification Rule requires covered entities and BAs to report any breaches of ePHI to patients, and in severe cases, to law enforcement and the Department of Health and Human Services (HHS) as well. This should be done no later than 60 days after the breach occurs.

Skype doesn’t have the ability to maintain activity logs, which means it has no mechanisms that can help you determine when a breach happened, let alone inform you about the details of the breach.

The inability to monitor and report breaches of ePHI alone makes Skype non-compliant with HIPAA.

The verdict: Is Skype HIPAA compliant?

The free version of Skype is absolutely non-compliant, whereas Skype for Business packages satisfy some HIPAA requirements but not others. It is safe to say that Skype is not HIPAA compliant and should be avoided in the context of telemedicine and telehealth.

The good news is we offer a much better and a completely HIPAA compliant solution for your medical practice.

Why healthcare providers choose Curogram over Skype

Curogram is a platform for telemedicine and two-way texting that was built specifically for healthcare providers, unlike Skype that’s used for general communication. Our solution is 100% HIPAA compliant—it’s in sync with all its regulations. You don’t have to worry about fulfilling legal requirements and can focus on what you do best—providing healthcare services.

Healthcare professionals choose Curogram over Skype because:

• It integrates with any EHR
• It replicates physical workflows of in-person patent visits in a virtual setting
• It features a virtual waiting room
• It makes document transfer easy, safe, and streamlined

EHR integration

Curogram integrates with almost any EHR there is. You don’t have to waste time on endless data input and can focus on being the best physician to your patients. The integration is simple and will take less than 48 hours. There’s no need to wait for months for the integration process to complete. You’ll be able to sync your appointments with your patients’ EHR, so you won’t have to input all the data twice. This is something Skype doesn’t offer at all.

In-person patient visits in a virtual environment

Instead of jumping on a call with the patient straight away on Skype, you can replicate the workflow of a physical visit with Curogram. Workflows are customized for different doctors and medical staff, and patients get properly onboarded before they get to the appointment. They fill a secure electronic intake form, which the provider can then access in PDF. The whole process is neat and simple, so you don’t have to waste time on technicalities.

Virtual waiting room

Both you and your patients can get properly ready before the appointment, thanks to Curogram’s virtual waiting room. You can see how many patients are waiting there, whether they’re ready, or if MAs are in there preparing them. Skype certainly can’t offer you this option. You would have to figure out a different way to prepare your patients and yourself before the appointment.

Document transfer made easy and safe

Aside from collecting intake forms before the appointment, our telemedicine platform allows you to easily share documents with patients after the visit. You can have ready-made documents for various purposes and send them with a simple click of a button. 

We also have a mobile app for sending any patient information in a HIPAA-secure way. Thanks to the EHR integration, your patients will get EHR-generated visit summaries.

With Skype, you and your patients can only exchange documents through chat.

Wondering if other solutions are HIPAA compliant?

Let’s talk about telemedicine!

Curogram is proud to offer one of the best telemedicine solutions to medical professionals. We want to hear from you! Drop us a line!