ARCHIVED: Guidelines for complying with HIPAA privacy and security rules when using Skype for Business and UniCom voice mail at IU

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

On this page:

HIPAA requirements


Office telephone service for faculty and staff at Indiana University has transitioned from Skype for Business to Teams Calls.

For official information about compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) at Indiana University, see HIPAA Privacy and Security Compliance.

HIPAA compliance requires protected information to be encrypted when it's "at rest" (in storage) and "in transit" (during transmission over a communications network). For further definition of these concepts, see Data Encryption.

At IU, all data "in transit" via Microsoft Skype for Business (for instant messaging, or voice or video conversations) and UniCom (for voice mail) are encrypted during transmission. This includes data transmitted in voice mail messages to Outlook on your personal computer.

Information stored on servers (such as call attributes and voice mail) is also encrypted. This, plus the additional measures of housing the Skype for Business and Outlook servers in the IU Data Center, and restricting physical and administrative access to them, satisfies one end of the "at rest" requirement.

However, the other end of the "at rest" requirement must be met client-side (that is, on your computer). It is important that you (or your department's IT Pro) take the following recommended precautions to ensure the devices (computers, laptops, and mobile devices) and applications (Skype for Business, UniCom, and Outlook) you use are properly secured to protect any sensitive data they store or transmit.

Guidelines for securely storing and sharing sensitive data

UITS recommends taking the following precautions if you store or communicate data that contain protected health information (PHI) or other sensitive data protected by HIPAA.

Use disk encryption

Use disk encryption on any desktop system, laptop, or portable device you use to access or store sensitive data. For disk encryption, UITS recommends:

Use a secure messaging application

Use Office Message Encryption (OME) when you use Outlook to forward email and voice mail messages containing sensitive data. See:

Also, before forwarding a message containing sensitive data, you should add the words [Secure Message] (case insensitive, with square brackets) to the subject line.

Don't save Skype for Business call logs

Make sure Skype for Business is not saving your call logs (this applies to Windows computers only). To do so:

  1. In Skype for Business, in the upper right corner, click the Options (gear) icon.
  2. From the menu on the left, select Personal.
  3. Make sure the box next to "Save call logs in my email Conversation History folder" is unchecked.
  4. Click OK.

Learn more about HIPAA and computer security

For more about best practices when handling sensitive data, see Protecting Data & Privacy. For more about computer security in general, see Tips for staying safe online.

This is document bcvy in the Knowledge Base.
Last modified on 2023-07-12 14:16:19.