One of the most common questions we get from people in the medical industry is "Is Outlook HIPAA compliant?"
The answer is Yes — Outlook is HIPAA compliant when set up correctly. In this article, we'll tell you how to make Outlook HIPAA Compliant?
We recently took an in-depth look at Microsoft365 to answer the question "Is Microsoft365 HIPAA compliant?" If you've read any of our other articles on HIPAA compliance, then you know what I'm going to say.
Microsoft365 has the ability to be HIPAA compliant when set up correctly. Therefore, it's no surprise that the same is true for Outlook since it’s a part of Microsoft365. However, is Outlook HIPAA Compliant a part of Microsoft 365?
Before we dive right into Outlook HIPAA compliance, let's take a look at how Microsoft Office handles HIPAA compliance.
Microsoft has a lot of overlapping product names, so this might get a little confusing.
But we’ll try to make it clear.
“Microsoft365” refers to the cloud-hosted subscription service that Microsoft sells. Microsoft365 can be made HIPAA compliant.
“Microsoft Office” is the software tool that people typically run on their computers. This includes tools like Microsoft Word and Microsoft Excel, and it also includes Microsoft Outlook (the subject of this article).
Here’s the confusing part – some “Microsoft365” subscriptions also include “Microsoft Office.” Some do not. If you’re not sure whether you have Microsoft Office or not, check with your IT supplier.
Microsoft has taken an aggressive stance towards HIPAA compliance. They include HIPAA right in the standard license agreement that they sign with every company for Microsoft365.
However, Microsoft doesn’t explicitly say that “Microsoft Office” (the programs that you download) is compliant with HIPAA.
When you use Microsoft Office, you’re creating files, and those files could contain PHI. If you store those files on your computer and your computer isn’t HIPAA compliant, then that’s your responsibility to fix them. Similarly, if you store those files on a company server and that server isn’t HIPAA compliant, that’s on you.
Microsoft Office, itself, doesn’t play a role in HIPAA compliance. It’s only when you store those files up in Microsoft365 that Microsoft’s HIPAA compliance helps to protect you.
Though, again, only if you set them up the right way.
Next, let’s take a look at Outlook. This is also a confusing area, as Microsoft has three products with similar names.
Remember the old Hotmail.com? Microsoft has replaced this with the new, fancier Outlook.com.
This is a place where people can sign up for a free email account from Microsoft, and use it to check their email.
Here’s the bad news – there is no way to make a free Outlook.com email account HIPAA compliant. Outlook.com is not equipped to securely handle PHI (personal health information), and Microsoft does not sign Business Associate Agreements for users of Outlook.com (more below).
If you’re a Microsoft 365 customer, then you also have a web-based version of Outlook that you can use to check your mail. You access it through your internet browser.
Since this email is in your browser, and since you’re using a paid version of Microsoft365, this is definitely HIPAA compliant (again, assuming you’ve set up Microsoft365 properly).
You can definitely use the Outlook program that’s installed on your computer in a way that’s HIPAA compliant. You can make Outlook HIPAA Compliant by ensuring these two factors :
If your email service and your computer are HIPAA compliant, then your use of the Microsoft Outlook program on your computer should also be HIPAA compliant.
One can make Outlook HIPAA Compliant by following a series of steps that will ensure flawless execution of the compliance.
First, make your computer HIPAA compliant. At Adeliarisk, we often help organizations make their systems HIPAA compliant, so you can probably ping us and we will be glad to help.
Next, make sure the connection between your computer and Microsoft 365 is encrypted. If you’re a new Microsoft 365 customer, this will be turned on by default. If you’ve been using Microsoft 365 for a while, you’ll want to check with your IT provider.
The final step to make Outlook HIPAA compliant is to make sure you’ve configured Microsoft 365 to be HIPAA compliant. It is not in compliance when you first turn it on. We help our clients with this as part of our services, though another helpful resource is the CIS Microsoft Office Best Practices.
One important piece of setting up Microsoft 365 is to make sure you’re using two-step verification (2FA). You can turn 2FA on by following these steps. Be sure to enforce 2FA for all of your employees!
Download 2FA Microsoft documentation for Outlook HIPAA Compliant.
Once you've properly configured Office, you can use it to send PHI within your own company. Check out our article on 7 Tips for HIPAA Compliant Email for more on best practices about using PHI in email.
If you want to email anyone outside your company, you’re going to want to get set up with a secure email. You can use Microsoft’s built-in tools for this, though some of our clients think they’re clunky. There are other options – read more in our complete guide to HIPAA compliant email.
Lastly, make sure you use some of Microsoft’s data loss prevention tools. They’re a good way to make sure that people aren’t accidentally sending or sharing PHI that’s not properly encrypted.
Microsoft doesn’t explicitly say whether or not Outlook Mobile (a version of Outlook that you can run on iOS or Android) is compliant with HIPAA or not.
This isn’t surprising, since they don’t explicitly list any Microsoft Office products as being HIPAA compliant. As we mentioned at the start of the article, that’s likely because the use of these products under HIPAA has less to do with the software itself, and more to do with how your company is storing PHI using the software.
Until we learn otherwise, we believe that Outlook Mobile is safe to use for PHI.
Microsoft recently announced that Outlook Mobile is safe enough to use for the Pentagon. If we can trust it with military secrets, then we can probably trust it with PHI.
Make sure to take advantage of the built-in features for mobile device management inside of Microsoft 365 so you can wipe your PHI from a lost or stolen phone or tablet. This is an important step in HIPAA compliance.
What if Microsoft Office or Outlook just isn't doing it for you? What if making Outlook HIPAA Compliant is feasibly not possible for you?
While Microsoft 365 provides a LOT more functionality than just email and comes with a full line of functional business applications like OneDrive, Sharepoint, Teams, and others, you may want to know what your alternatives are.
Your main HIPAA compliant alternative to Outlook is Google Workspace.
Also known as the paid version of Gmail, Google Workspace is a strong competitor for Outlook. Google Workspace's creator, Google, also signs HIPAA Business Associate Agreements for their paid Google Workspace product. You can check out our findings on Gmail and Google Workspace in our comprehensive article.
You can also do a quick search for “HIPAA compliant email” and find a vast amount of lesser-known companies and products that claim to be HIPAA compliant. Always be sure to read the fine print on any product that you consider. Many of them only give you simple, old-fashioned email, while Google and Microsoft give you full-featured productivity suites that include email, calendars, and more.
Be careful, though -- a lot of companies that advertise “HIPAA compliant email” have clauses buried in their contracts that put HIPAA obligations on you that you might not notice. And remember: HIPAA is way more than just “secure email.” True HIPAA compliance comes from the all-around protection of sensitive data.
Pro Tip: Just say NO to any company that won't sign a business associate agreement.
So is Outlook HIPAA compliant? If you're using a paid version of Microsoft365 and you've set up your account correctly then yes! Experts at Adeliarisk can help you make Outlook HIPAA Compliant without sacrificing security or compromising compliance.
Whoever wrote this article clearly has no idea about what they're talking about.
"Email that is in a browser is HIPAA Compliant". No it is not, just like all the email that is stored in the temp folder directly is not compliant. A browser doesn't make anything secure. And NO Microsoft does not automatically provide a BAA with (every company) that uses their service. A BAA has to be signed by both parties and spell out the agreements between them to secure the data at rest, in transit and in use.
This article is worthless and not even fit as toilet paper.
Hi - thanks for the feedback. We'd like to disagree with both of the points you raise.
Connections between a local computer and a properly configured Microsoft365 tenant are going to be encrypted over HTTPS. While you're right that "a browser doesn't make anything secure," it's the connection through the browser that, in this case, is secure. We believe that this is suitable for HIPAA compliance, as it addresses the encryption of data in transit. And it's our understanding that these emails aren't "stored in the temp folder" on a local computer, but we certainly advise clients to make sure any device they're using to access Microsoft365 is also properly secured. This is outside of the scope of this article, so we deliberately didn't go into that detail.
Regarding the HIPAA BAA, we're afraid you're misinformed. Microsoft's official page on HIPAA compliance (https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-hipaa-hitech?view=o365-worldwide) links to a template HIPAA BAA that specifically says "If Customer is a Covered Entity or a Business Associate and includes Protected Health Information in Customer Data or FastTrack Data, execution of a license agreement that includes the Online Services Terms (“Agreement”) will incorporate the terms of this HIPAA Business Associate Agreement (“BAA”) into that Agreement." For Microsoft365 customers, simply accepting the standard EULA is enough to legally enter in to the BAA, which anyone can download from the link provided above. So, in fact, Microsoft does provide a HIPAA BAA that is an extension of the license agreement.