Is Office 365 HIPAA Compliant?

Is Microsoft Office 365 HIPAA compliant? Can healthcare organizations use Office 365 and remain in compliance with HIPAA and HITECH Act Rules?

What is Office 365?

Office 365 is a suite of subscription products developed by Microsoft that includes Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access.

Office 365 for Healthcare

Microsoft is willing to enter into a business associate agreement (BAA) with HIPAA covered entities for Office 365 and Microsoft Dynamics CRM Online, provided the latter is purchased through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also covers the use of the Microsoft Azure cloud platform.

Microsoft does not demand that a BAA be obtained prior to use of Office 365, as the BAA is automatically made available to customers with an online service contract. However, HIPAA covered entities should obtain a BAA prior to use of Office 365 in conjunction with any electronic protected health information (ePHI). They should also specify an administrative contact. In the event of a security breach, the administrative contact will be notified of a breach by Microsoft.

While there are companies that offer HIPAA certification to confirm that a company or product complies with HIPAA Rules, there is no official certification recognized by the HHS’ Office for Civil Rights or other federal agencies. However, Microsoft has undergone independent audits under ISO 27001 which incorporate assessments of security practices recommended by the HHS. Office 365 has been verified as having all necessary privacy and security controls to comply with HIPAA Rules.

Office 365 Security

All data uploaded to or stored on Microsoft servers is protected by encryption and any data transferred outside of Microsoft facilities is similarly encrypted.  However, packet headers and message headers are not encrypted.

Provided ePHI is not entered into the subject line of emails, the names of files attached to emails, or is used in the to and from fields of emails, email can be used securely.

Microsoft Office 365 meets HIPAA auditing requirements and logs of access to stored data are maintained. Reports on access logs can be obtained from Microsoft on request.

Microsoft offers 2-factor authentication to prevent Office 365 and Outlook email accounts from being accessed if a password is compromised and an unfamiliar device attempts to log into an account.

Is Microsoft Office 365 HIPAA Compliant?

So, is Microsoft Office 365 HIPAA compliant? Provided a HIPAA-covered entity has entered into a business associate agreement with Microsoft, Office 365 can be used in a manner compliant with HIPAA Rules.

While all appropriate privacy and security controls have been implemented by Microsoft to ensure that Office 365 can be used by HIPAA-covered entities while remaining compliant with HIPAA and the HITECH Act, use of Office 365 does not guarantee compliance, even if a BAA has been obtained from Microsoft.

It is the responsibility of covered entities to ensure access controls are configured correctly, administrator access tracking is turned on, Microsoft Dynamics CRM Online for supported devices is turned off, access control reports are obtained and checked regularly, and all users are trained how to use Office 365 in a manner compliant with HIPAA Rules.


Does Office 365 include anti-phishing protections?

Microsoft offers two plans that provide phishing protection. Microsoft Defender for Office 365 Plan 1 and Plan 2. Plan 1 provides basic phishing protection, and Plan 2 provides more advanced protection and includes automation, investigation, remediation, and education. Plan 1 is provided with the Microsoft 365 Business Premium license and Plan 2 is included in Office 365 E5, Office 365 A5, Microsoft 365 E5 Security, and Microsoft 365 E5.

Are Microsoft’s anti-phishing packages for Microsoft 365 sufficient?

Microsoft has improved its email security packages and both options perform reasonably well as blocking phishing emails and malware; however, since healthcare organizations are actively targeted by threat actors, it is advisable to either choose the advanced email security plan or purchase a third-party anti-phishing solution.

Are third-party email security solutions necessary?

Many healthcare organizations choose a third-party email security solution for Office 365. Office 365 includes basic phishing and malware protection. Security can be augmented by purchasing an Office 365 anti-phishing solution from a cybersecurity company. Many cybersecurity firms provide advanced phishing and spam solutions that can be seamlessly applied to Microsoft 365.

Do third-party email security solutions replace Microsoft security?

When you choose a third-party email security solution for Microsoft 365, it is layered on top of Microsoft’s anti-spam and anti-phishing protections. You benefit from Microsoft’s basic email security package and your chosen email security solution will provide an additional layer of protection against spam, phishing, and malware.

What should I look for in an email security solution?

You should look for a solution that has a spam catch rate of more than 99.9%, antivirus controls including sandboxing to identify previously unseen malware, and protection against malicious hyperlinks in emails, including time-of-click protection. Check independent reviews to see beyond the sales pitch to find out how real users find the solution.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.