Guidelines for complying with HIPAA privacy and security rules when using Skype for Business/Lync and UniCom voice mail at IU

On this page:


HIPAA requirements

Note:
For official information about compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) at Indiana University, see HIPAA Compliance on the IU Office of Research Administration - Compliance Services website.

HIPAA compliance requires protected information to be encrypted when it's "at rest" (i.e., in storage) and "in transit" (during transmission over a communications network). For further definition of these concepts, see Data Encryption.

At IU, all data "in transit" via Microsoft Skype for Business/Lync (for instant messaging, or voice or video conversations) and UniCom (for voice mail) are encrypted during transmission. This includes data transmitted in voice mail messages to the Microsoft Outlook client on your personal computer.

Information stored on servers (e.g., call attributes and voice mail) is also encrypted. This, plus the additional measures of housing the Skype for Business/Lync and Outlook servers in the IU Data Center, and restricting physical and administrative access to them, satisfies one end of the "at rest" requirement.

However, the other end of the "at rest" requirement must be met client-side (i.e., on your computer). It is important that you (or your department's IT Pro) take the following recommended precautions to ensure the devices (e.g., computers, laptops, and mobile devices) and applications (e.g., Skype for Business/Lync, UniCom, and Outlook) you use are properly secured to protect any sensitive data they store or transmit.

Guidelines for securely storing and sharing sensitive data

UITS recommends taking the following precautions if you store or communicate data that contain protected health information (PHI) or other sensitive data protected by HIPAA.

Use disk encryption

Use disk encryption on any desktop system, laptop, or portable device you use to access or store sensitive data. See:

Use a secure messaging application

Use a secure messaging application, such as the Cisco Registered Envelope Service (CRES), when you use Outlook to forward email and voice mail messages containing sensitive data. See:

Also, before forwarding a message containing sensitive data, you should add the words "confidential" or "secure message" to the subject line.

Don't save Skype for Business/Lync call logs

Make sure Skype for Business/Lync is not saving your call logs (this applies to Windows computers only). To do so:

  1. In Skype for Business/Lync, in the upper right corner, click the Options (gear) icon.
  2. From the menu on the left, select Personal.
  3. Make sure the box next to "Save call logs in my email Conversation History folder" is unchecked.
  4. Click OK.

Disable missed call notifications and voice mail text previews

  • To disable missed call notifications, submit a request via the Telecom Request Page.
  • To disable voice mail text previews of voice messages, you must use the IU Outlook Web App (OWA) to access these settings:

    1. Log into OWA, and in the upper right, click the Settings (gear) icon. Click Options.
    2. In the left navigation bar, click phone.
    3. On the voice mail tab, under "voice mail preview", uncheck the boxes next to "Include preview text with voice messages I receive" and "Include preview text with voice messages I send through Outlook Voice Access".
    4. To save your changes, in the bottom left, click save.

Learning more about HIPAA and computer security

For more about best practices when handling sensitive data, see Protecting Data. For more about computer security in general, see Tips for staying safe online.

This is document bcvy in the Knowledge Base.
Last modified on 2017-07-27 13:48:28.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.