Is Microsoft Outlook HIPAA Compliant?
The latest in our series of posts on HIPAA compliant software and email services for healthcare organizations explores whether Microsoft Outlook is HIPAA compliant.
Is Microsoft Outlook HIPAA Compliant?
Software or an email platform can never be fully HIPAA compliant, as compliance is not so much about the technology but how it is used. That said, software and email services can support HIPAA compliance. In order for an email service to support HIPAA compliance, it must include a range of security features to ensure that any information uploaded to and transmitted through the service can be done so securely, without risking the exposure or the interception of sensitive data.
The platform provider must also be prepared to sign a business associate agreement with HIPAA-covered entities, and by doing so, agree to comply with the requirements of the HIPAA, Privacy, Security, and Breach Notification Rules.
Microsoft has already taken steps toward making many of its services suitable for healthcare providers by agreeing to enter into a business associate agreement. Crucially for healthcare organizations, the BAA does not cover all of Microsoft’s software and services.
So, what about Outlook? Is Outlook HIPAA compliant? Can it be used by healthcare organizations to transmit protected health information? That depends on which version of Outlook you use and how you use it.
Outlook.com and Office 365 Outlook
Outlook.com is a free, web-based email platform that may appear similar to the Outlook product available as part of the Office 365 package, but it is not the same product. Outlook.com is a consumer product and has not been developed for businesses and should not be used by healthcare organizations, at least not for sending ePHI.
Microsoft supports HIPAA compliance for its Office 365 suite of products, and will enter into a business associate agreement with healthcare organizations for the enterprise version of Office 365; however, in order to meet all requirements of HIPAA it is essential to purchase the right package. An important part of HIPAA compliance is maintaining audit logs, which are not available in Office 365 for Business. HIPAA compliance is only supported for certain enterprise plans, and all of the features required for HIPAA compliance are only available in the Enterprise E3 and E5 plans.
Office 365 and the associated Microsoft Exchange Online service can be HIPAA compliant and are covered by the BAA; however, care must be taken to configure these services correctly and additional controls are required before Office 365 Outlook can be HIPAA compliant. Microsoft offers enterprise-level encryption, Microsoft Exchange Online Protection, data loss prevention (DLP), and the ability to wipe data on mobile devices. Provided these services are used and configured correctly, access controls are set up, audit logs are maintained, single sign on and two factor authentication is enabled, data backups are performed, and staff receive training on the use of email for communicating ePHI, Outlook can be HIPAA compliant. Simply obtaining a business associate agreement with Microsoft will not, by itself, ensure compliance with HIPAA Rules.
Microsoft will sign a BAA but clearly states that simply having a BAA does not guarantee compliance with HIPAA Rules. “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Microsoft offers advice on making Office 365 (Exchange Online) HIPAA compliant here.