Is Skype for Business HIPAA compliant? (2022 update)

Is Skype for Business HIPAA Compliant? - Paubox

Last updated: 27 December 2022

We’ve been getting asked by customers and prospects about various telehealth solutions and whether they can use them in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

Back in 2013, it was generally a bad idea to use Skpye for telehealth. Obviously, a lot has changed in healthcare since then. Today we will determine if Skype for Business is a HIPAA compliant telehealth service or not.

About Skype for Business

Skype for Business is a communication and collaboration platform that is part of the Microsoft Office suite of productivity tools. It allows users to communicate and collaborate with each other in real-time using a variety of different communication methods, including instant messaging, audio and video calls, and online meetings.

Skype for Business is designed for use in business settings. It integrates seamlessly with other Microsoft Office tools such as Outlook and Word. It is available as a standalone product, or it can be purchased as part of a larger Office 365 subscription.

Skype for Business and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We checked the Microsoft site and found a page in the Microsoft Azure Trust Center called, “HIPAA and the HITECH Act.”

It states that Skype for Business is an in-scope service and that:


Can my organization enter into a BAA with Microsoft?

Yes. Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services.

The Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA. See ‘Microsoft in-scope cloud services’ on this webpage for the list of cloud services covered by this BAA.


Notification of Enforcement Discretion

When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Examples of non-public facing applications include:

  • Amazon Chime
  • Apple FaceTime
  • Doxy.me
  • Facebook Messenger
  • Google Hangouts video
  • Google Hangouts
  • iMessage
  • Jabber
  • Signal
  • Skype
  • Spruce Health Care Messenger
  • Updox
  • VSee
  • WhatsApp
  • Zoom

See also: HIPAA privacy and security guidelines as they relate to telehealth

Is Skype for Business HIPAA compliant?

The business associate agreement is a key component to HIPAA compliance between a covered entity and a business associate.

As we noted earlier, Microsoft is willing to sign a BAA with its customers for Skype for Business.

In addition, Skype is considered by HHS as a telehealth solution that can be used in a non-public facing manner. While the HHS Notification of Enforcement Discretion is not indefinite, it would allow healthcare entities to use Skype and not be liable for HIPAA fines even if Microsoft did not offer a BAA to their customers.

Conclusion: Skype for Business is HIPAA compliant. Make sure you get a BAA in place with Microsoft.

About the author

Hoala Greevy

Founder CEO Paubox. Kayak fishing when I can.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport