Health care providers must follow the Health Insurance Portability and Accountability Act (HIPAA).  Is Microsoft 365 HIPAA compliant, though? This act protects your patient healthcare data (PHI).

As more clinicians are electronically transmitting patient records and other personal information to specialists and medical facilities, it is imperative that we ensure that information is secure because of which more and more businesses are looking to become Microsoft 365 HIPAA Compliant.

Isn’t Email Secure? Not at all!

Here’s the problem with email, be it Gmail or Microsoft 365.  Unless you use “secure email,” there’s no way for you to know that the person reading an email you sent is who you intended.

The hard truth is that anyone in IT can read your emails.  Larger companies even have policies that tell employees that they should expect no email privacy.

If you're handling sensitive information, you need to know that email has no guarantee of privacy.

Here’s a great article that describes why email isn’t secure.  It’s light on the technical jargon and is worth the read.

What does HIPAA Say about Email? Why Microsoft 365 HIPAA Compliant is necessary?

I’m summarizing here (#notalawyer), but generally, HIPAA requires three things when it comes to email:

1) Security strong enough for HIPAA

It’s your job to make sure that everyone that touches your patient's PHI complies with HIPAA. For email, most get thereby:

• limiting who can and can’t send an email,
• using secure, encrypted email to send PHI, and
• having a program that scans outbound emails for sensitive data.

2) Patient Consent

The HIPAA Omnibus Final Rule (from March 18, 2013) says your patients ARE allowed to authorize communications via email.  However, you need to make sure your patient understands the risks of email before they sign the authorization.

Most firms have a consent form that clients must fill out before emails can be sent to patients.

3) Business Associate Agreement

This is covered in HIPAA section 164.314(a).  Many healthcare providers use a third party (like Microsoft or their IT company) for email.  HIPAA calls these “Business Associates.” They must sign an agreement that says they'll protect a patient’s confidential information just like you would.

How does Microsoft365 stack up for HIPAA?

In case you don’t know, Microsoft365 is a service used for email by hundreds of millions of people worldwide. Many small businesses use it for email because it’s affordable, convenient, and offers some very nice security features.  You also get full versions of the major Microsoft programs (like Outlook, Excel, and Word) with their subscription. Being Microsoft 365 HIPAA Compliant ensures better access to your users data.

Let’s see how HIPAA Compliant Microsoft365 does against our three criteria:

1) Security Strong Enough for HIPAA

Microsoft365 has some of the best security available in a hosted web service.  They have a terrific two-factor authentication app to make sure your email accounts aren’t hacked.  They have great logging in place, and security features you won’t find anywhere else.  They also lead the way in supporting secure email and encryption.

2) Patient Consent

This is something that you’ll need to manage in your own office.  It doesn’t have any bearing on which email provider you choose. Being Microsoft 365 HIPAA Compliant ensures that the patient's data is always protected.

3) Business Associate Agreement:

Microsoft has put together a fantastic page that describes how they comply with HIPAA: You can download the guide which talks about where Microsoft 365 is HIPAA Complaint
Download HIPAA FAQ for Business Associate Agreement Info

The Microsoft site clearly says that Microsoft365 is within the scope of their HIPAA / HITECH BAA agreement.

So is Microsoft 365 HIPAA Compliant?

Yes, Microsoft365 can be used as part of a HIPAA-compliant organization!

However, it's not HIPAA compliant out of the box -- you'll need to set it up the right way.  Learn more here.

You also need to consider how you plan to handle PHI. If you want to send PHI via email, then you’ll need a secure email service, or you need to get written consent from your patients.

So incase you haven't made your Microsoft 365 HIPAA Compliant, you should opt for it now.

Are there alternatives?

1) Google Workspace:

Microsoft’s competitor, Google, also signs HIPAA Business Associate Agreements for their paid Google Workspace product.  We’ve experimented with their service and find it comparable to Microsoft in many respects.

2) Other Secure Email Providers:

Lots of lesser known companies offer email services that they claim are HIPAA compliant. A simple Google search for “hipaa email provider” will pull up lots of ads. A note of caution here — using an email provider that claims to be “HIPAA compliant” does not suddenly make YOU HIPAA compliant. HIPAA compliance comes from holistic protection of sensitive data, not just secure email.

What About Mobile?

It's super easy to use Microsoft365 with your phone or tablet.  Microsoft365 is pre-programmed into most of those devices for the convenience of users.

However, this convenience can lead to a breach if your devices aren't properly managed.  Be careful about giving employees access to email via mobile, especially if it may contain PHI/PII.

Protecting the client’s personal information is very important in this technological age. Breaches of HIPAA laws can result in severe penalties for health care providers, hence one should always opt for Microsoft 365 HIPAA Compliant.

Still feeling a bit overwhelmed?

Get some free help!  Check out our free guide to make Microsoft365 HIPAA compliant.

Talk to us!

Have questions or feedback regarding Microsoft 365 HIPAA compliant?  Please share them in the comments below. You can also reach out to our Twitter account for more details on Microsoft 365 HIPAA Compliant.