Guidelines for complying with HIPAA privacy and security rules when using Skype for Business and UniCom voice mail at IU

On this page:

HIPAA requirements

For official information about compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) at Indiana University, see HIPAA Privacy and Security Compliance.

HIPAA compliance requires protected information to be encrypted when it's "at rest" (in storage) and "in transit" (during transmission over a communications network). For further definition of these concepts, see Data Encryption.

At IU, all data "in transit" via Microsoft Skype for Business (for instant messaging, or voice or video conversations) and UniCom (for voice mail) are encrypted during transmission. This includes data transmitted in voice mail messages to Outlook on your personal computer.

Information stored on servers (such as call attributes and voice mail) is also encrypted. This, plus the additional measures of housing the Skype for Business and Outlook servers in the IU Data Center, and restricting physical and administrative access to them, satisfies one end of the "at rest" requirement.

However, the other end of the "at rest" requirement must be met client-side (that is, on your computer). It is important that you (or your department's IT Pro) take the following recommended precautions to ensure the devices (computers, laptops, and mobile devices) and applications (Skype for Business, UniCom, and Outlook) you use are properly secured to protect any sensitive data they store or transmit.

Guidelines for securely storing and sharing sensitive data

UITS recommends taking the following precautions if you store or communicate data that contain protected health information (PHI) or other sensitive data protected by HIPAA.

Use disk encryption

Use disk encryption on any desktop system, laptop, or portable device you use to access or store sensitive data. For disk encryption, UITS recommends:

Use a secure messaging application

Use a secure messaging application, such as the Cisco Secure Email Encryption Service (CSEES), when you use Outlook to forward email and voice mail messages containing sensitive data. See:

Also, before forwarding a message containing sensitive data, you should add the words [Secure Message] (case insensitive, with square brackets) to the subject line.

Don't save Skype for Business call logs

Make sure Skype for Business is not saving your call logs (this applies to Windows computers only). To do so:

  1. In Skype for Business, in the upper right corner, click the Options (gear) icon.
  2. From the menu on the left, select Personal.
  3. Make sure the box next to "Save call logs in my email Conversation History folder" is unchecked.
  4. Click OK.

Disable missed call notifications and voice mail text previews

  • To disable missed call notifications, submit a request via the Telecommunications Request Form.
  • To disable voice mail text previews of voice messages, you must use Outlook Web App (OWA) to access these settings:

    1. Log into OWA, and in the upper right, click the Settings (gear) icon. Click Options.
    2. In the left navigation bar, click phone.
    3. On the voice mail tab, under "voice mail preview", uncheck the boxes next to "Include preview text with voice messages I receive" and "Include preview text with voice messages I send through Outlook Voice Access".
    4. To save your changes, in the bottom left, click save.

Learn more about HIPAA and computer security

For more about best practices when handling sensitive data, see Protecting Data & Privacy. For more about computer security in general, see Tips for staying safe online.

This is document bcvy in the Knowledge Base.
Last modified on 2021-01-15 16:46:36.

Contact us

For help or to comment, email the UITS Support Center.