Is Skype HIPAA Compliant?

By: Blink Session

Skype brought video calls to the masses in 2003. Before then, video conferencing was reserved for companies with the money for expensive and complex equipment. Skype was and is free to connect to other Skype users. Skype is a great tool, but does it meet the privacy standards of HIPAA and other health laws?

As with Zoom and most other video conferencing platforms, Skype was not designed for health care nor has ever included much concern for privacy. Skype was bought by Microsoft in 2011 and now with it's integration into the Office 365 family of products, HIPAA-compliances has finally come. This is important because the only version of Skype which is HIPAA-compliant is that which is part of Office 365. In other words, there is no stand-alone version of Skype that you can subscribe to which is HIPAA-compliant, you must purchase Office 365 for business (and it can not be the version hosted on your company's internal network).

How Does Microsoft Make Skype HIPAA-compliant

Skype has no features that were created to help treat Online and protecting person health information has never been on it's radar. It only became an issue when Microsoft wanted to bundle it with Office 365. Thus, to make a HIPAA-compliant version, Skype had to tweak features to fit the rules. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to protect patients' privacy and ensure they have access to their medical records. Providers and any companies that store patients' Personal Identifiable Information (PII) and medical records (e.g. Blink Session) in the U.S. are required by law to follow HIPAA rules. There a few exceptions to this but then there are other state and local laws which ensue. For software companies, the rules apply mostly to how PII is transmitted, stored, and who has access to it.

For HIPAA the biggest question has to do with who could gain access to the video and other PII. Skype, as with every video call software, uses encryption to transmit the video between users, which is essential. The problem Skype has is that it routes video through it's servers around the world. This means the video your computer sends out goes first to their Internet servers and then to the computer of the person you are talking too. Because of this, in order to be HIPAA-compliant, Skype was required to put in policies to restrict access to these servers, but routing video directly between users will almost always be more secure.

Using HIPAA-Compliant Software Doesn't Guarantee Compliances

The HIPAA rules, much like GDRP in Europe, are fundamentally concerned with who has access to personal data. Imagine a hospital patient database with thousands of records. If everyone who worked for the hospital had access to every patient's medical record that would create all kinds of problems. Now imagine you have two therapists in your practice and you store medical records on your laptop. Say you laptop is stolen, who has access to those records now?

Skype has no safeguards controlling access. It does not help you protect the privacy of your patient's data. As with any other video conferencing software, you must ask: Is this software merely HIPAA-compliant or was it designed from the ground-up with privacy in mind?

More Articles


More