How to Make Microsoft Office 365 HIPAA Compliant
Microsoft Office is not HIPAA compliant by default and it is not sufficient to simply agree to the terms of Microsoft’s Business Associate Agreement (BAA) to make Microsoft Office 365 HIPAA compliant. The actual process of making Microsoft Office 365 HIPAA compliant (or any software solution) is more complicated than many covered entities and business associates appreciate – potentially resulting in HIPAA compliance failures and avoidable data breaches.
Why Microsoft Office HIPAA Compliance is Complicated
The reason Microsoft Office HIPAA compliance is complicated is that it is not the technology that determines HIPAA compliance, but how the technology is used to mitigate threats and hazards to the confidentiality, integrity, and availability of Protected Health Information (PHI). Without first identifying what threats and hazards exist, it is impossible to determine which Microsoft Office 365 plan is appropriate for an organization’s requirements.
Before evaluating Microsoft Office 365 plans, covered entities and business associates should conduct a HIPAA risk assessment. The HIPAA risk assessment should not only be used to identify threats and hazards, but also reasonably anticipated uses and disclosures of PHI not permitted by the Privacy Rule. This should help organizations determine what extra security and compliance capabilities may be required in addition to core products and services.
The outcome of the risk assessment should then be used to compile a Microsoft Office HIPAA compliance checklist. The checklist can be used to compare the plans capable of supporting compliance against the organization’s requirements. Not all plans are capable of supporting Microsoft Office HIPAA compliance, and it may be necessary in some cases to subscribe to extra security and compliance add-ons to make Microsoft Office 365 HIPAA compliant.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Microsoft Business Associate Agreement
Microsoft offers a standard Business Associate Agreement (BAA) for all covered entities and business associates that create, receive, store, or transmit PHI via a Microsoft Office 365 product or service. The BAA is entered into automatically as soon as an organization identifies itself as being subject to HIPAA and signs a Service Agreement for a Microsoft Office 365 product or service covered by the Online Products and Services Data Protection Addendum.
Because the BAA is executed automatically, covered entities and business associates are advised to obtain a copy of the BAA prior to signing the Service Agreement and review it for clauses that may require changes to internal policies. For example, Microsoft will not respond to patients and plan members exercising their HIPAA access rights and prohibits the use of PHI in contact lists and directories maintained within Microsoft “in-scope” products and services.
It can also be beneficial to review the content of the Data Protection Addendum – particularly for organizations that operate in locations with more stringent data privacy requirements than HIPAA. This document not only explains the safeguards Microsoft has in place to meet most privacy and security requirements, but also explains customers’ responsibilities for implementing and maintaining privacy protections and security measures.
Making Microsoft Office 365 HIPAA Compliant
The clause requiring customers to implement and maintain privacy protections and security measures mean it is an organization’s responsibility to make Microsoft Office 365 HIPAA compliant. There is guidance to help system administrators configure privacy protections and security measures; but, because different organizations will have different threats and hazards they have to mitigate, there is no one-size-fits-all HIPAA Implementation Guide.
For system administrators with little experience of Microsoft Outlook 365, it may be necessary to refer to the Admin Center for help or take advantage of the Compliance Manager. This program can be used to create Data Loss Prevention policies for PHI stored in emails and storage volumes such as OneDrive, and to monitor user activity in Outlook, Skype, SharePoint, and Microsoft Teams to identify accidental or deliberate impermissible disclosures of PHI.
Possibly the most important step for making Microsoft Office 365 HIPAA compliant is configuring Outlook to protect users from spam, malware, and phishing, and to create alerts for when threats are detected. System administrators will also have to configure the Microsoft 365 email security controls to ensure emails are encrypted in transit. In some cases, this may mean using different encryption types or applying different transport rules for different types of email.
More about Microsoft Office 365 Email Security
In recent years Microsoft Office 365 email security has improved considerably. Most Office 365 plans come with preconfigured security policies and a configuration analyzer, while top-end plans and add-on subscriptions also include safe links, safe attachments, and safe document capabilities. Most plans also include automated anti-phishing checks that evaluate incoming messages using machine learning models to identify threats from as yet unknown sources.
For larger organizations, the A5, E5, F5, and G5 Microsoft Office 365 plans include automated investigation and response (also available in the Defender P2 add-on), while it is possible to enhance Microsoft Office 365 email security by utilizing attack simulation training to change user responses to phish lures. Phishing is the number one cause of data breaches in healthcare, and is a reasonably anticipated threat that should be included in all HIPAA risk assessments.
However, there are a few cons associated with Microsoft Office 365 email security. The security features do not work well outside the Microsoft Office 365 family, and it can be difficult to protect devices on non-Windows systems (i.e., Apple devices). There are also some concerns over the delivery of emails protected by TLS encryption if the recipient’s server is unable to decrypt them. For this reason, some organizations use additional email security services.
Workforce HIPAA Compliance with Office 365
Due to the preconfigured security policies and ability to create Data Loss Prevention policies, the risk of impermissible disclosures of PHI by members of the workforce is greatly reduced. However, it may still be necessary to provide HIPAA training to members of the workforce depending on their knowledge of when PHI can be used or disclosed in compliance with the Privacy Rule, and when the minimum necessary standard applies to disclosures of PHI.
With regards to Microsoft 365 email security, it is important to instruct members of the workforce not to include PHI in the subject lines of emails. This is because the “to”, “cc”, “bcc”, and “subject line” metadata of emails are not encrypted so email systems know where to deliver emails and so that emails are searchable in recipients’ inboxes. This is not an issue unique to Microsoft. Most email services avoid encrypting email metadata.
It is also important that all members of the workforce are provided with security awareness training (as required by §164.308) – not just those with access to PHI. If a cybercriminal acquires access to any part of an organization’s network, they may be capable of moving laterally through the network to access drives and systems containing PHI. In some respects, workforce compliance is the most important element of making Microsoft Office 365 HIPAA compliant.
Microsoft 365 and HIPAA Compliance: Conclusion
It was mentioned at the beginning of the article that Microsoft Office HIPAA compliance is complicated, and it is not difficult to see why. Microsoft Office 365 plans come in a variety of sizes and capabilities with a wide range of add-ons. While this can help make Microsoft Office HIPAA compliance more affordable, it can complicate the process of determining the most appropriate plan – especially once existing security measures are taken into account.
For this reason, it is advisable to conduct a risk assessment and make an informed decision about what Microsoft plan is most appropriate for an organization’s requirements. Thereafter, it is important to review the terms of the BAA before accepting it, configure the individual products and services to make Microsoft Office 365 HIPAA compliant, develop policies to support Microsoft 365 HIPAA compliance and train all members of the workforce.
Organizations who encounter challenges with any part of the process are advised to seek help. In most cases, Microsoft’s support team should be able to answer any questions relating to the capabilities of each plan and configuring the capabilities to support HIPAA compliance. Organizations that encounter challenges with developing policies to support HIPAA compliance or workforce training are advised to seek advice from a compliance professional.
