One of the most common questions we get from people in the medical industry is "Is Outlook HIPAA compliant?"
The answer? Yes — Outlook is HIPAA compliant when set up correctly. In this article, we'll tell you how to ensure your use of Microsoft Outlook is HIPAA compliant.
We recently took an in-depth look at Microsoft365 in order to answer the question "Is Microsoft365 HIPAA compliant?" If you've read any of our other articles on HIPAA compliance, then you know what I'm going to say.
Microsoft365 has the ability to be HIPAA compliant when set up correctly. Therefore, it's no surprise that the same is true for Outlook, since it’s a part of Microsoft365.
Before we dive right into Outlook HIPAA compliance, let's take a look at how Microsoft Office handles HIPAA compliance.
Microsoft has a lot of overlapping product names, so this might get a little confusing.
But we’ll try to make it clear.
“Microsoft365” refers to the cloud-hosted subscription service that Microsoft sells. Microsoft365 can be made HIPAA compliant.
“Microsoft Office” are the software tools that people typically run on their computer. This includes tools like Microsoft Word and Microsoft Excel, and it also includes Microsoft Outlook (the subject of this article).
Here’s the confusing part – some “Microsoft365” subscriptions also include “Microsoft Office.” Some do not. If you’re not sure whether you have Microsoft Office or not, check with your IT supplier.
Microsoft has taken an aggressive stance towards HIPAA compliance. They include HIPAA right in the standard license agreement that they sign with every company for Microsoft365.
However, Microsoft doesn’t explicitly say that “Microsoft Office” (the programs that you download) are compliant with HIPAA.
Because when you use Microsoft Office, you’re creating files, and those files could contain PHI. If you store those files on your computer and your computer isn’t HIPAA compliant, then that’s your responsibility to fix. Similarly, if you store those files on a company server and that server isn’t HIPAA compliant, that’s on you.
Microsoft Office, itself, doesn’t play a role in HIPAA compliance. It’s only when you store those files up in Microsoft365 that Microsoft’s HIPAA compliance helps to protect you.
Though, again, only if you set them up the right way.
Next, let’s take a look at Outlook. This is also a confusing area, as Microsoft has three products with similar names.
Remember the old Hotmail.com? Microsoft has replaced this with the new, fancier Outlook.com.
This is a place where people can sign up for a free email account from Microsoft, and use it to check their email.
Here’s the bad news – there is no way to make a free Outlook.com email account HIPAA compliant. Outlook.com is not equipped to securely handle PHI (personal health information), and Microsoft does not sign Business Associate Agreements for users of Outlook.com (more below).
If you’re an Microsoft365 customer, then you also have a web-based version of Outlook that you can use to check your mail. You access it through your internet browser.
Since this email is in your browser, and since you’re using a paid version of Microsoft365, this is definitely HIPAA compliant (again, assuming you’ve set up Microsoft365 properly).
You can definitely use the Outlook program that’s installed on your computer in a way that’s HIPAA compliant. To do so, though, you have to be sure to do two things:
If your email service AND your computer are HIPAA compliant, than your use of the Microsoft Outlook program on your computer should also be HIPAA compliant.
First, make your computer HIPAA compliant. We help our clients with this as part of our service, if needed.
Next, make sure the connection between your computer and Microsoft365 is encrypted. If you’re a new Microsoft365 customer, this will be turned on by default. If you’ve been using Microsoft365 for a while, you’ll want to check with your IT provider.
Next, make sure you’ve configured Microsoft365 to be HIPAA compliant. It is NOT in compliance when you first turn it on. We help our clients with this as part of our services, though another helpful resource is the CIS Microsoft Office Best Practices.
One important piece of setting up Microsoft365 is to make sure you’re using two-step verification (2FA). You can turn 2FA on by following these steps. Be sure to enforce 2FA for all of your employees!
Once you've properly configured Office, you can use it to send PHI within your own company. Check out our article on 7 Tips for HIPAA Compliant Email for more on best practices about using PHI in email.
If you want to email anyone outside your company, you’re going to want to get set up with secure email. You can use Microsoft’s built-in tools for this, though some of our clients think they’re clunky. There are other options – read more in our complete guide to HIPAA compliant email.
Lastly, make sure you use some of Microsoft’s data loss prevention tools. They’re a good way to make sure that people aren’t accidentally sending or sharing PHI that’s not properly encrypted.
Microsoft doesn’t explicitly say whether or not Outlook Mobile (a version of Outlook that you can run on iOS or Android) is compliant with HIPAA or not.
This isn’t surprising, since they don’t explicitly list any Microsoft Office products as being HIPAA compliant. As we mentioned at the start of the article, that’s likely because the use of these products under HIPAA has less to do with the software itself, and more to do with how your company is storing PHI using the software.
Until we learn otherwise, we’re of the opinion that Outlook Mobile is safe to use for PHI.
Microsoft recently announced that Outlook Mobile is safe enough to use for the Pentagon. If we can trust it with military secrets, then we can probably trust it with PHI.
Make sure to take advantage of the built-in features for mobile device management inside of Microsoft365 so you can wipe your PHI from a lost or stolen phone or tablet. This is an important step in HIPAA compliance.
What if Microsoft Office or Outlook just isn't doing it for you?
While Microsoft365 provides a LOT more functionality than just email and comes with a full line of functional business applications like OneDrive, Sharepoint, Teams, and others, you may want to know what your alternatives are.
Your main HIPAA compliant alternative to Outlook is Google Workspace.
Also known as the paid version of Gmail, Google Workspace is a strong competitor for Outlook. Google Workspace's creator, Google, also signs HIPAA Business Associate Agreements for their paid Google Workspace product. You can check out our findings on Gmail and Google Workspace in our comprehensive article.
You can also do a quick search for “HIPAA compliant email” and find a vast amount of lesser known companies and products that claim to be HIPAA compliant. Always be sure to read the fine print on any product that you consider. Many of them only give you simple, old-fashioned email, while Google and Microsoft give you full-featured productivity suites that include email, calendars, and more.
Be careful, though -- a lot of companies that advertise “HIPAA compliant email” have clauses buried in their contracts that put HIPAA obligations on you that you might not notice. And remember: HIPAA is way more than just “secure email.” True HIPAA compliance comes from all-around protection of sensitive data.
Pro Tip: Just say NO to any company who won't sign a business associate agreement.
So is Outlook HIPAA compliant? If you're using a paid version of Microsoft365 and you've set up your account correctly then yes!
If you'd like expert help, we can help making your Microsoft365 setup HIPAA compliant.