The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Microsoft Outlook HIPAA Compliant?

Posted By on Oct 24, 2023

Microsoft Outlook is HIPAA compliant provided that organizations subscribe to an Office 365 or Microsoft 365 enterprise plan that supports HIPAA compliance, that the service is configured to be used compliantly, and that users are trained to use Microsoft Outlook in compliance with HIPAA.

Software is never HIPAA compliant by default as HIPAA compliance is not so much about what technology is used, but how it is used. That said, software and email services can support HIPAA compliance. In order for an email service to support HIPAA compliance, it must include a range of security features to ensure that any information uploaded to and transmitted through the service can be done so securely, without risking the exposure or the interception of sensitive data.

The platform provider must also be prepared to sign a Business Associate Agreement with HIPAA-covered entities, and by doing so, agree to comply with the requirements of the HIPAA Privacy, Security, and Breach Notification Rules.

Microsoft has a standard Business Associate Agreement which covers Office 365 and Microsoft 365 subscriptions. Covered entities and business associates automatically enter into Microsoft’s BAA when they sign a service contract that includes an Online Services Data Protection Addendum. However, the BAA does not cover all products in Office 365 and Microsoft subscriptions.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

So, what about Outlook? Is Microsoft Outlook HIPAA compliant? Can it be used by healthcare organizations to transmit protected health information? That depends on which version of Outlook you use and how you use it.

Outlook.com and Office 365 Outlook

Outlook.com is a free, web-based email platform that may appear similar to the Outlook product available as part of the Office 365 package, but it is not the same product. Outlook.com is a consumer product and has not been developed for businesses and should not be used by healthcare organizations, at least not for sending ePHI.

Microsoft supports HIPAA compliance for its Office 365  and Microsoft 365 enterprise plans, and will enter into a business associate agreement with healthcare organizations for the enterprise version of Office 365. However, in order to meet all requirements of HIPAA it is essential to subscribe to the right package. An important part of HIPAA compliance is maintaining audit logs, which are not available in all Office 365 and Microsoft plans. HIPAA compliance is only supported for certain enterprise plans; so, if an organization subscribes to a plan that does not support HIPAA compliance, it will be necessary to purchase add-ons to make Microsoft Outlook HIPAA compliant.

How to Make Microsoft Office HIPAA Compliant

It is also important to configure the service correctly to make Microsoft Outlook HIPAA compliant. Microsoft offers enterprise-level encryption, Microsoft Exchange Online Protection, data loss prevention (DLP), and the ability to wipe data on mobile devices. Provided these services are used and configured correctly, access controls are set up, audit logs are maintained, single sign-on and two-factor authentication is enabled, data backups are performed, and the staff receives training on the use of email for communicating ePHI, Microsoft Outlook can be HIPAA compliant. Simply obtaining a business associate agreement with Microsoft will not, by itself, ensure compliance with HIPAA Rules.

Microsoft will sign a BAA but clearly states that simply having a BAA does not guarantee compliance with HIPAA Rules. “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Microsoft offers advice on making Office 365 (Exchange Online) HIPAA compliant here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist