Health care providers must follow the Health Insurance Portability and Accountability Act (HIPAA). Is Office 365 HIPAA compliant, though? This act protects your patient healthcare data (PHI). As more clinicians are electronically transmitting patient records and other personal information to specialists and medical facilities, it is imperative that we ensure that information is secure.
Isn’t Email Secure? Not at all!
Here’s the problem with email be it Gmail or Office 365. Unless you use “secure email,” there’s no way for you to know that the person reading an email you sent is who you intended.
The hard truth is that anyone in IT can read your emails. Larger companies even have policies that tell employees that they should expect no email privacy.
If you’re handling sensitive information, you need to know that email has no guarantee of privacy.
Here’s a great article that describes why email isn’t secure. It’s light on the technical jargon, and is worth the read.
What does HIPAA Say about Email?
I’m summarizing here (#notalawyer), but generally, HIPAA requires three things when it comes to email:
1) Security strong enough for HIPAA
It’s your job to make sure that everyone that touches your patient PHI complies with HIPAA. For email, most get there by:
- limiting who can and can’t send email,
- using secure, encrypted email to send PHI, and
- having a program that scans outbound emails for sensitive data.
2) Patient Consent
The HIPAA Omnibus Final Rule (from March 18, 2013) says your patients ARE allowed to authorize communications via email. However, you need to make sure your patient understands the risks of email before they sign the authorization.
Most firms have a consent form that clients must fill out before emails can be sent to patients.
3) Business Associate Agreement
This is covered in HIPAA section 164.314(a). Many healthcare providers use a third party (like Microsoft or their IT company) for email. HIPAA calls these “Business Associates.” They must sign an agreement that says they’ll protect a patient’s confidential information just like you would.
How does Office 365 stack up?
In case you don’t know, Office 365 is a service used for email by hundreds of millions of people worldwide. Many small businesses use it for email because it’s affordable, convenient, and offers some very nice security features. You also get full versions of the major Microsoft programs (like Outlook, Excel, and Word) with their subscription.
Let’s see how Office365 does against our three criteria:
1) Security Strong Enough for HIPAA
Microsoft Office 365 has some of the best security available in a hosted web service. They have a terrific two-factor authentication app to make sure your email accounts aren’t hacked. They have great logging in place, and security features you won’t find anywhere else. They also lead the way in supporting secure email and encryption.
2) Patient Consent
This is something that you’ll need to manage in your own office. It doesn’t have any bearing on which email provider you choose.
3) Business Associate Agreement:
Microsoft has put together a fantastic page that describes how they comply with HIPAA: https://www.microsoft.com/en-us/TrustCenter/Compliance/HIPAA
The Microsoft site clearly says that Office 365 is within the scope of their HIPAA / HITECH BAA agreement.
There’s even a handy link where Office 365 customers can request a copy of the agreement:
So is Office 365 HIPAA Compliant?
Yes, Office 365 can be used as part of a HIPAA-compliant organization!
You also need to consider how you plan to handle PHI. If you want to send PHI via email, then you’ll need a secure email service, or you need to get written consent from your patients.
Are there alternatives?
1) G Suite:
Microsoft’s competitor, Google, also signs HIPAA Business Associate Agreements for their paid G Suite product. We’ve experimented with their service and find it comparable to Google in many respects.
2) Other Secure Email Providers:
Lots of lesser known companies offer email services that they claim are HIPAA compliant. A simple Google search for “hipaa email provider” will pull up lots of ads. A note of caution here — using an email provider that claims to be “HIPAA compliant” does not suddenly make YOU HIPAA compliant. HIPAA compliance comes from holistic protection of sensitive data, not just secure email.
What About Mobile?
It’s super easy to use Office365 with your phone or tablet. Office365 is pre-programmed into most of those devices for the convenience of users.
However, this convenience can lead to a breach if your devices aren’t properly managed. Be careful about giving employees access to email via mobile, especially if it may contain PHI/PII.
Protecting the client’s personal information is very important in this technological age. Breaches of HIPAA laws can result in severe penalties for health care providers.
Still feeling a bit overwhelmed?
Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.
Talk to us!
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!