Is Microsoft Teams HIPAA Compliant?

Microsoft Teams is a popular communications platform used by many businesses to communicate more effectively, but can the solution be used in healthcare? Is Microsoft Teams HIPAA compliant?

Microsoft Teams is a unified communication platform that includes workplace chat, video meetings, and file sharing and can be integrated into a range of different applications. The platform can be used to improve communication and collaboration in the workplace and with business associates.

The platform is based on Office 365 (click here for information on Office 365 and HIPAA). Office 365 can be used in a HIPAA compliant manner, but in order for Microsoft Teams to be HIPAA compliant it must include a range of security features to keep any electronic protected health information secure.

In the security compliance section of the Microsoft website, Microsoft explains that Microsoft Teams delivers advanced security and compliance and is included in its Tier-D compliance category. Tier D services have safeguards active by default and are compliant with ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, HIPAA, and EU Model Clauses (EUMC). Tier D services have also passed the HITRUST CSF Assurance Program Assessment.

Microsoft Teams incorporates access controls, enforces single sign-on and two-factor authentication, and maintains audit logs. All Microsoft Teams data are stored on secure servers in North America and are encrypted at rest and in transit.

Is Microsoft Teams HIPAA Compliant?

Security-wise, Microsoft Teams ticks all the HIPAA compliance boxes, but before the platform can be used in connection with any ePHI, HIPAA-covered entities would be required to enter into a business associate agreement with Microsoft that covers the Microsoft Teams platform.

Microsoft is prepared to sign business associate agreements with HIPAA covered entities. HIPAA-covered entities should ensure that if they already have a BAA from Microsoft that it states that Microsoft Teams is covered.

Provided that is the case, Microsoft Teams can be considered a HIPAA-compliant collaboration platform; however, it is the responsibility of HIPAA covered entities to ensure the platform is configured and used in a HIPAA-compliant manner.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.