Share this article on:
Is Microsoft Office 365 HIPAA compliant? Can healthcare organizations use Office 365 and remain in compliance with HIPAA and HITECH Act Rules?
What is Office 365?
Office 365 is a suite of subscription products developed by Microsoft that includes Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access.
Office 365 for Healthcare
Microsoft is willing to enter into a business associate agreement (BAA) with HIPAA covered entities for Office 365 and Microsoft Dynamics CRM Online, provided the latter is purchased through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also covers the use of the Microsoft Azure cloud platform.
Microsoft does not demand that a BAA be obtained prior to use of Office 365, as the BAA is automatically made available to customers with an online service contract. However, HIPAA covered entities should obtain a BAA prior to use of Office 365 in conjunction with any electronic protected health information (ePHI). They should also specify an administrative contact. In the event of a security breach, the administrative contact will be notified of a breach by Microsoft.
While there are companies that offer HIPAA certification to confirm that a company or product complies with HIPAA Rules, there is no official certification recognized by the HHS’ Office for Civil Rights or other federal agencies. However, Microsoft has undergone independent audits under ISO 27001 which incorporate assessments of security practices recommended by the HHS. Office 365 has been verified as having all necessary privacy and security controls to comply with HIPAA Rules.
Office 365 Security
All data uploaded to or stored on Microsoft servers is protected by encryption and any data transferred outside of Microsoft facilities is similarly encrypted. However, packet headers and message headers are not encrypted.
Provided ePHI is not entered into the subject line of emails, the names of files attached to emails, or is used in the to and from fields of emails, email can be used securely.
Microsoft Office 365 meets HIPAA auditing requirements and logs of access to stored data are maintained. Reports on access logs can be obtained from Microsoft on request.
Microsoft offers 2-factor authentication to prevent Office 365 and Outlook email accounts from being accessed if a password is compromised and an unfamiliar device attempts to log into an account.
Is Microsoft Office 365 HIPAA Compliant?
So, is Microsoft Office 365 HIPAA compliant? Provided a HIPAA-covered entity has entered into a business associate agreement with Microsoft, Office 365 can be used in a manner compliant with HIPAA Rules.
While all appropriate privacy and security controls have been implemented by Microsoft to ensure that Office 365 can be used by HIPAA-covered entities while remaining compliant with HIPAA and the HITECH Act, use of Office 365 does not guarantee compliance, even if a BAA has been obtained from Microsoft.
It is the responsibility of covered entities to ensure access controls are configured correctly, administrator access tracking is turned on, Microsoft Dynamics CRM Online for supported devices is turned off, access control reports are obtained and checked regularly, and all users are trained how to use Office 365 in a manner compliant with HIPAA Rules.