Call now for cybersecurity help: 888-646-1616
Josh Ablett

Is Microsoft 365 HIPAA compliant?

Health care providers must follow the Health Insurance Portability and Accountability Act (HIPAA).  Is Microsoft 365 HIPAA compliant, though? This act protects your patient healthcare data (PHI).

As more clinicians are electronically transmitting patient records and other personal information to specialists and medical facilities, it is imperative that we ensure that information is secure.

Isn’t Email Secure? Not at all!

Here’s the problem with email, be it Gmail or Microsoft 365.  Unless you use “secure email,” there’s no way for you to know that the person reading an email you sent is who you intended.

The hard truth is that anyone in IT can read your emails.  Larger companies even have policies that tell employees that they should expect no email privacy.

If you're handling sensitive information, you need to know that email has no guarantee of privacy.

Here’s a great article that describes why email isn’t secure.  It’s light on the technical jargon, and is worth the read.

microsoft 365 hipaa vs. insecure email

What does HIPAA Say about Email?

I’m summarizing here (#notalawyer), but generally, HIPAA requires three things when it comes to email:

1) Security strong enough for HIPAA

It’s your job to make sure that everyone that touches your patient PHI complies with HIPAA. For email, most get there by:

2) Patient Consent

The HIPAA Omnibus Final Rule (from March 18, 2013) says your patients ARE allowed to authorize communications via email.  However, you need to make sure your patient understands the risks of email before they sign the authorization.

email over office 365 hipaa

Most firms have a consent form that clients must fill out before emails can be sent to patients.

3) Business Associate Agreement

This is covered in HIPAA section 164.314(a).  Many healthcare providers use a third party (like Microsoft or their IT company) for email.  HIPAA calls these “Business Associates.” They must sign an agreement that says they'll protect a patient’s confidential information just like you would.

How does Microsoft365 stack up for HIPAA?

In case you don’t know, Microsoft365 is a service used for email by hundreds of millions of people worldwide. Many small businesses use it for email because it’s affordable, convenient, and offers some very nice security features.  You also get full versions of the major Microsoft programs (like Outlook, Excel, and Word) with their subscription.

Let’s see how HIPAA Compliant Microsoft365 does against our three criteria:

1) Security Strong Enough for HIPAA

Microsoft365 has some of the best security available in a hosted web service.  They have a terrific two-factor authentication app to make sure your email accounts aren’t hacked.  They have great logging in place, and security features you won’t find anywhere else.  They also lead the way in supporting secure email and encryption.

2) Patient Consent

This is something that you’ll need to manage in your own office.  It doesn’t have any bearing on which email provider you choose.

3) Business Associate Agreement:

Microsoft has put together a fantastic page that describes how they comply with HIPAA:

Microsoft office 365 hipaa trust center

The Microsoft site clearly says that Microsoft365 is within the scope of their HIPAA / HITECH BAA agreement.

There’s even a handy link where HIPAA compliant Microsoft365 customers can request a copy of the agreement:

office 365 hipaa business associate agreement

So is Microsoft365 HIPAA Compliant?

Yes, Microsoft365 can be used as part of a HIPAA-compliant organization!

However, it's not HIPAA compliant out of the box -- you'll need to set it up the right way.  Learn more here.

You also need to consider how you plan to handle PHI. If you want to send PHI via email, then you’ll need a secure email service, or you need to get written consent from your patients.

Are there alternatives?

1) Google Workspace:

Microsoft’s competitor, Google, also signs HIPAA Business Associate Agreements for their paid Google Workspace product.  We’ve experimented with their service and find it comparable to Microsoft in many respects.

2) Other Secure Email Providers:

Lots of lesser known companies offer email services that they claim are HIPAA compliant. A simple Google search for “hipaa email provider” will pull up lots of ads. A note of caution here — using an email provider that claims to be “HIPAA compliant” does not suddenly make YOU HIPAA compliant. HIPAA compliance comes from holistic protection of sensitive data, not just secure email.

What About Mobile?

It's super easy to use Microsoft365 with your phone or tablet.  Microsoft365 is pre-programmed into most of those devices for the convenience of users.

However, this convenience can lead to a breach if your devices aren't properly managed.  Be careful about giving employees access to email via mobile, especially if it may contain PHI/PII.

Protecting the client’s personal information is very important in this technological age. Breaches of HIPAA laws can result in severe penalties for health care providers.

Still feeling a bit overwhelmed?

Get some free help!  Check out our free guide to make Microsoft365 HIPAA compliant.

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright 2021 Adelia Associates, LLC | All Rights Reserved | Sitemap