Is Microsoft Forms HIPAA Compliant?
Microsoft Forms is HIPAA compliant inasmuch as the app is an in-scope service included in Office 365 and Microsoft 365 subscriptions that support HIPAA compliance. However, due to a reported issue with the form footer, Microsoft Forms is not an effective option for collecting Protected Health Information.
Microsoft Forms is an app included with most Office 365 and Microsoft 365 subscriptions which can be used by organizations to create online surveys, quizzes, and polls. Links to surveys, quizzes, and polls can be distributed by URL, QR code, or via a contact link in the Outlook and Teams portals to selected individuals, everyone in the organization, or to “anyone”.
Respondents can complete the surveys, quizzes, and polls via a web browser without having to download the app, and organizations can see real-time responses as they are submitted. The responses can then be analyzed and evaluated in the Forms app, or exported to Excel for more granular analyses. The results can also be exported and saved in OneDrive for easier distribution.
Is Microsoft Forms HIPAA Compliant?
When included in an Office 365 or Microsoft 365 subscription that supports HIPAA compliance, Microsoft Forms is an “in-scope service” covered by the Microsoft Business Associate Agreement. In this respect, Microsoft Forms is HIPAA compliant and can be used by healthcare organizations to collect responses from patients that include Protected Health Information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
However, a contributor to the Microsoft Community Forum has reported Microsoft Forms adds a statement to each form footer which reads “The owner of this form has not provided a privacy statement as to how they will use your response data. Do not provide personal or sensitive information.” The contributor notes it is not possible to modify the footer or link to a privacy statement.
While the statement in the footer does not affect the use of Microsoft Forms as a HIPAA compliant tool for collecting survey responses and answers to quizzes and polls that contain Protected Health Information, it will likely dissuade patients from completing and submitting any type of form – rendering the app ineffective at collecting potentially valuable data from patients.
Options for Overcoming the Footer Issue
There are three options for overcoming the footer issue. The first is to distribute surveys, quizzes, and polls with questions worded in such a way that respondents do not have to provide personal or sensitive information in order to participate. It is not ideal, but if an organization is already subscribed to an Office 365 or Microsoft 365 plan, it is the most cost-effective.
One of the more expensive options is to subscribe or upgrade to a Microsoft Dynamics 365 plan. This plan includes the Microsoft Forms Pro service which permits users to edit the footers of surveys, quizzes, and polls. Upgrading from an existing plan is likely to be disruptive due to having to configure or disable various Dynamics 365 services, but it makes Microsoft Forms HIPAA compliant and usable.
The final option is to subscribe to a third party’s HIPAA compliant forms service that integrates with in-scope Microsoft services. Although this is not an ideal solution, it may be an acceptable compromise between using a Microsoft Forms HIPAA compliant service which may be ineffective at collecting potentially valuable data, and upgrading to a far more complex and expensive Microsoft Dynamics 365 plan.
