(888) 646-1616
  • Blog
  • Office 365 HIPAA-Compliance – 6 best features and how it works?

Office 365 HIPAA-Compliance – 6 best features and how it works?

Microsoft, microsoft 365

Office 365 HIPAA Compliance is crucial for the healthcare industry as more and more entities are looking to secure their patient’s sensitive information. The good news is corporate giants like Microsoft are making great investments and innovations in both robust security settings and HIPAA compliance for many of their most popular products.

Office 365 has been becoming the go-to name for the healthcare industry, and Microsoft is leaving no stone unturned as far as medical practices, HIPAA, and IT Security are concerned.

So let’s look into the top six features that make Office 365 HIPAA compliance great.

Is Your Office 365 HIPAA Compliant and Secure? Don’t Wait for a Breach, Start your cloud security journey with our comprehensive audit.. Our specialists are committed to helping your business stay safe and seamlessly achieve HIPAA compliance and encryption requirements.

Protect Your Business Now!
Trusted healthcare and financial companies rely on Adelia Risk for HIPAA compliant Office 365 security solutions

Office 365 HIPAA-Compliance business associate agreement

Microsoft will execute a HIPAA BAA that covers Microsoft 365 & Office 365 HIPAA compliance. It’s handled automatically by accepting their end-user license.  You can check out their FAQ by downloading this PDF and going through the details.

Download HIPAA FAQ for Business Associate Agreement Info

Anyone who touches your sensitive data (PHI) is a HIPAA “Business Associate.” These Business Associates must sign an agreement promising to protect your patient data.

Microsoft 365 handles sensitive emails, calendars, and documents.  They are definitely considered a Business Associate by HIPAA.

Office 365 HIPAA Compliance two-factor authentication

Two-factor authentication is becoming much more common, considering the authenticity and security it provides to your data.  You’ve probably seen this on other sites like online banking.  You log in with your password, but then you need to enter a code from your phone or email to prove that it’s actually you.

We’re HUGE fans of the way that Microsoft does two-factor authentication while making Office 365 HIPAA-compliant.  Their smartphone app is well-designed.  You can approve your login right from your smartphone notification screen, like this:

Two-factor authentication on laptop and phone for Office 365 HIPAA compliance security

This is way easier than entering a code or waiting for a text message to come in.  You still have the choice to do both of these, but the app is fast and easy.  And we’ve always found that the best security is the kind that doesn’t slow you down.

In fact, we often help our customers set up the two-factor authentication process as we make them go through the Office 365 HIPAA Compliance process.

Data Loss Prevention

Microsoft has invested a lot in this area, and it shows.  Data loss prevention stops your staff from accidentally emailing or sharing PHI.  Let’s take a look at how DLP works in a HIPAA-compliant Microsoft365 setup:

  • First, set up a policy.

Choose from existing premade templates covering your industry.

Creating a HIPAA data loss prevention policy in Office 365 for medical and health compliance
  • Look into all the Microsoft 365 services the policy covers

Best to leave them all turned on unless you have a reason not to.

Configuring Office 365 HIPAA compliance by choosing DLP locations for Exchange, SharePoint, and OneDrive
  • Next, Customize the types of sensitive data you want to protect
Office 365 HIPAA compliance settings to protect sensitive data like Social Security and DEA numbers
  • Finally, let’s tell it what to do

In this example, it’s going to warn the user.  If the user sends more than 5 pieces of information, they’ll get blocked.

Office 365 HIPAA compliance DLP policy settings to detect and block sensitive data sharing

Pretty slick, huh?

Office 365 HIPAA-Compliance is completely transparent

Like other cloud security providers, Microsoft has layers and layers of inside and outside auditors measuring their compliance and IT security measures. You can take a detailed look into their compliance norms by downloading this pdf.

Download Compliance Norms

Microsoft has done an amazing job giving customers visibility into the results of these audits to prove that Microsoft 365 is HIPAA-compliant.

Here is a step-by-step guide on how you can set up your console.

In their admin console, you enter your location and industry:

Office 365 security and compliance settings for HIPAA healthcare industry

Microsoft automatically shows you compliance reports relevant to your location and industry.

We can’t show you the details because they’re covered under NDA, but these two will give you an idea.

  • Status of Audited Controls

See exactly which IT security controls were audited, and whether they passed or failed:

Office 365 security and compliance audited controls for HIPAA

Compliance Reports

Similarly, you can see the actual compliance reports for each service and each audit:

Office 365 service compliance reports for HIPAA and regulatory standards

This is an excellent functionality for your auditors.

Configurable alerts

This is a new and impressive feature of the Office365 platform.  Microsoft built a rules engine that lets you trigger alerts on certain conditions.

Here’s an example — let’s say that you have employees that aren’t supposed to delete any files.  You can set up an alert so that you’ll get notified any time someone deletes a file, and it’s as simple as this:

Office 365 HIPAA compliance custom alert policy for file deletion monitoring

There are hundreds of “Activities” available on which to alert.

Prevent accidental breaches

Office 365 has two cloud services for file sharing:

  • Sharepoint (for team file sharing)
  • OneDrive (for personal file backup and sharing)

It can be TOO easy to accidentally share files with the public, and that would be a HIPAA breach.

Microsoft has made it simple to disable external sharing, preventing anyone from making this mistake.

Office 365 HIPAA compliance external sharing settings for SharePoint and OneDrive

Office 365 HIPAA Compliance can be a little complicated. However, that is something that you shouldn’t worry about. Experts like Adeliarisk have been implementing Office 365 HIPAA Compliance for our clients for nearly a decade now. So if you feel you can use some helping hand, you can always reach out to us.

Adelia Risk Office 365 HIPAA compliance features including multi-factor authentication, audit logs, and PHI protection

Get some free help!  Check out our free guide for 17 Tips to Make Microsoft365 HIPAA-Compliant. You can also reach out to our Twitter account for more details on Office 365 compliance.

Table of Contents

Josh Ablett

Josh Ablett, CISSP, has been meeting regulations and stopping hackers for 20 years. He has rolled out cybersecurity programs that have successfully passed rigorous audits by the SEC, the FDIC, the OCC, HHS, and scores of customer auditors. He has also built programs that comply with a wide range of privacy and security regulations such as CMMC, HIPAA, GLBA, SEC/FINRA, and state privacy laws. He has worked with companies ranging from 5 people to 55,000 people.

Share

Related Posts

What Is HIPAA-Compliance?

hipaa compliance

HIPAA compliance is an important legislative act in the United States Healthcare and Health insurance industries.

Read More
  • cybersecurity training, email, mfa, Phishing

[Infographic] Some types of multi-factor authentication can be phished!

wire-transfer-warning

It’s true — hackers can get around some types of multi-factor authentication (MFA). And this is

Read More
  • email, Gmail, Google Workspace

Is Gmail Encryption HIPAA-Compliant?

Gmail Encryption HIPAA Compliant

We’ve recently discussed whether or not Gmail is HIPAA-compliant. In short, it depends. Gmail is HIPAA-compliant

Read More

Do you think we might be a good match?

Let’s Talk
888 646 1616