Health care providers must follow the Health Insurance Portability and Accountability Act (HIPAA). Is Microsoft 365 HIPAA compliant, though? This act protects your patient healthcare data (PHI).
As more clinicians are electronically transmitting patient records and other personal information to specialists and medical facilities, it is imperative that we ensure that information is secure.
Here’s the problem with email, be it Gmail or Microsoft 365. Unless you use “secure email,” there’s no way for you to know that the person reading an email you sent is who you intended.
The hard truth is that anyone in IT can read your emails. Larger companies even have policies that tell employees that they should expect no email privacy.
If you're handling sensitive information, you need to know that email has no guarantee of privacy.
Here’s a great article that describes why email isn’t secure. It’s light on the technical jargon, and is worth the read.
I’m summarizing here (#notalawyer), but generally, HIPAA requires three things when it comes to email:
It’s your job to make sure that everyone that touches your patient PHI complies with HIPAA. For email, most get there by:
The HIPAA Omnibus Final Rule (from March 18, 2013) says your patients ARE allowed to authorize communications via email. However, you need to make sure your patient understands the risks of email before they sign the authorization.
Most firms have a consent form that clients must fill out before emails can be sent to patients.
This is covered in HIPAA section 164.314(a). Many healthcare providers use a third party (like Microsoft or their IT company) for email. HIPAA calls these “Business Associates.” They must sign an agreement that says they'll protect a patient’s confidential information just like you would.
In case you don’t know, Microsoft365 is a service used for email by hundreds of millions of people worldwide. Many small businesses use it for email because it’s affordable, convenient, and offers some very nice security features. You also get full versions of the major Microsoft programs (like Outlook, Excel, and Word) with their subscription.
Let’s see how HIPAA Compliant Microsoft365 does against our three criteria:
Microsoft365 has some of the best security available in a hosted web service. They have a terrific two-factor authentication app to make sure your email accounts aren’t hacked. They have great logging in place, and security features you won’t find anywhere else. They also lead the way in supporting secure email and encryption.
This is something that you’ll need to manage in your own office. It doesn’t have any bearing on which email provider you choose.
Microsoft has put together a fantastic page that describes how they comply with HIPAA: https://docs.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech
The Microsoft site clearly says that Microsoft365 is within the scope of their HIPAA / HITECH BAA agreement.
There’s even a handy link where HIPAA compliant Microsoft365 customers can request a copy of the agreement:
Yes, Microsoft365 can be used as part of a HIPAA-compliant organization!
However, it's not HIPAA compliant out of the box -- you'll need to set it up the right way. Learn more here.
You also need to consider how you plan to handle PHI. If you want to send PHI via email, then you’ll need a secure email service, or you need to get written consent from your patients.
Microsoft’s competitor, Google, also signs HIPAA Business Associate Agreements for their paid Google Workspace product. We’ve experimented with their service and find it comparable to Microsoft in many respects.
Lots of lesser known companies offer email services that they claim are HIPAA compliant. A simple Google search for “hipaa email provider” will pull up lots of ads. A note of caution here — using an email provider that claims to be “HIPAA compliant” does not suddenly make YOU HIPAA compliant. HIPAA compliance comes from holistic protection of sensitive data, not just secure email.
It's super easy to use Microsoft365 with your phone or tablet. Microsoft365 is pre-programmed into most of those devices for the convenience of users.
However, this convenience can lead to a breach if your devices aren't properly managed. Be careful about giving employees access to email via mobile, especially if it may contain PHI/PII.
Protecting the client’s personal information is very important in this technological age. Breaches of HIPAA laws can result in severe penalties for health care providers.
Get some free help! Check out our free guide to make Microsoft365 HIPAA compliant.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!