Skype is owned by Microsoft and is part of Office 365. Microsoft does offer a Business Associate Agreement (BAA) for Office 365 which technically covers Skype for Business (but not regular Skype).
However, Skype lacks many controls and features that are actually required for an organization to be HIPAA-compliant, such as access auditing, backups, and breach reporting. This makes it unclear what the usefulness of its being "covered" under Microsoft's BAA really is. Microsoft is really just leaving it up you to determine if the use of Skype is appropriate without taking any steps to ensure that use of Skype really meets all of HIPAA's requirements. Additionally, even though Skype is covered under Microsoft's BAA, the regular, free Skype used by most people is not covered. So, for example, a doctor should under no circumstances have a session with a patient, where that patient is using the regular free Skype program. This patient must use the web browser-based business Skype interface in order to be covered.
When considering if Skype can be used in a HIPAA-compliant manner, there are many relevant items to consider:
- Encryption: Skype uses AES 265-bit encryption for securing the chat sessions and the voice and video phone calls. This level of encryption is beyond sufficient for encrypting the transmission of ePHI.
- Wire Tap: It is well known that many countries can "wiretap" Skype communications so that they can record calls, videos, and chats. Changes that Microsoft has made to Skype make it easier for them to wiretap communications, in general, and domestically. it is also well known that the NSA can wiretap Skype video calls.
- HIPAA Requirements: Use of Skype does not:
- Provide audit trails of usage
- Provide notifications in case of a breach
- Offer technical support and frequently dropped calls may cause problems for some organizations (e.g. in terms of emergency access, etc.)
- Provide archives of chats or video
- Provide administrative emergency access to previous chat histories
No comments:
Post a Comment