ARCHIVED: Guidelines for complying with HIPAA privacy and security rules when using Skype for Business and UniCom voice mail at IU

On this page:

• HIPAA requirements
• Guidelines for securely storing and sharing sensitive data
  • Use disk encryption
  • Use a secure messaging application
  • Don't save Skype for Business call logs
• Learn more about HIPAA and computer security

HIPAA requirements

HIPAA compliance requires protected information to be encrypted when it's "at rest" (in storage) and "in transit" (during transmission over a communications network). For further definition of these concepts, see Data Encryption.

At IU, all data "in transit" via Microsoft Skype for Business (for instant messaging, or voice or video conversations) and UniCom (for voice mail) are encrypted during transmission. This includes data transmitted in voice mail messages to Outlook on your personal computer.

Information stored on servers (such as call attributes and voice mail) is also encrypted. This, plus the additional measures of housing the Skype for Business and Outlook servers in the IU Data Center, and restricting physical and administrative access to them, satisfies one end of the "at rest" requirement.

However, the other end of the "at rest" requirement must be met client-side (that is, on your computer). It is important that you (or your department's IT Pro) take the following recommended precautions to ensure the devices (computers, laptops, and mobile devices) and applications (Skype for Business, UniCom, and Outlook) you use are properly secured to protect any sensitive data they store or transmit.

Guidelines for securely storing and sharing sensitive data

UITS recommends taking the following precautions if you store or communicate data that contain protected health information (PHI) or other sensitive data protected by HIPAA.

Use disk encryption

Use disk encryption on any desktop system, laptop, or portable device you use to access or store sensitive data. For disk encryption, UITS recommends:

• Bitlocker (Windows)
• FileVault 2 (macOS)
• GnuPG (Linux)

Use a secure messaging application

Use Office Message Encryption (OME) when you use Outlook to forward email and voice mail messages containing sensitive data. See:

• About Office Message Encryption (OME)
• Ensure that mail sent from your Exchange account to an outside address is encrypted
• About confidential information in email

Also, before forwarding a message containing sensitive data, you should add the words [Secure Message] (case insensitive, with square brackets) to the subject line.

Don't save Skype for Business call logs

Make sure Skype for Business is not saving your call logs (this applies to Windows computers only). To do so:

1. In Skype for Business, in the upper right corner, click the Options (gear) icon.
2. From the menu on the left, select Personal.
3. Make sure the box next to "Save call logs in my email Conversation History folder" is unchecked.
4. Click OK.

Learn more about HIPAA and computer security

For more about best practices when handling sensitive data, see Protecting Data & Privacy. For more about computer security in general, see Tips for staying safe online.