Is Microsoft 365 HIPAA compliant?

looking to pitch your MSP to a company that has tough compliance standards, but unsure of how you can work with them? Don’t worry—once again, GenesisSystem.com & Microsoft’s got your back, and the process is simpler than you think. But before we answer the question “Is Microsoft 365 HIPAA compliant?”, we’ll briefly discuss what HIPAA is and what exactly it means to be HIPAA compliant.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This is a piece of U.S. legislation that provides data privacy and security regulations to ensure sensitive medical information is protected. The law has gained greater prominence in recent years with the proliferation of health data breaches caused by cyberattacks and ransomware attacks on both health insurers and providers.

The purpose of HIPAA is to provide uninterrupted health insurance coverage for workers who lose or change their jobs. By standardizing the electronic transmission of administrative and financial transactions, HIPAA helps reduce administrative burdens and the cost of health care. There are other goals as well; these include identifying abuse, fraud, and waste in the exercise of health care and simplifying access to long-term care services and health insurance.

The law covers five different areas, but when discussing HIPAA compliance for those in the health care industry Title II is often the primary area of concern. Let’s discuss some of the Title II HIPAA compliance requirements that MSPs need to be aware of.

HIPAA Privacy Rule

The following information is considered to be protected under the HIPAA guidelines:

    • patient’s name, address, birth date, and Social Security number;
    • individual’s physical or mental health condition;
    • any care provided to the individual; and
    • information that concerns the payment for the care provided when the patient is identified or when the patient has a reasonable chance of being identified.

HIPAA Security Rule

The HIPAA Security Rule sets national standards for securing patient data that are stored or transferred electronically. To that end, the HIPAA Security Rule requires health care organizations to implement both physical and electronic safeguards to ensure the secure passage, maintenance, and reception of protected health information (PHI).

HIPAA compliance

Health care organizations must often rely on the services of third-party vendors, such as IT providers. But in doing so, they run the risk of exposing PHI and violating HIPAA compliance. To ensure they comply with HIPAA regulations, these organizations can make use of the official HIPAA Alliance Marketplace to connect with verified vendors, referred to as Business Associates (BAs).

Requirements for a HIPAA Business Associate contract

A compliant HIPAA Business Associate contract should:

  • describe how the BA is permitted and required to use PHI;
  • require that the BA not use or disclose PHI, other than as specified in the contract or as required by law;
  • require the business associate to use appropriate security measures to ensure PHI is used in accordance with the contract terms;
  • require the covered entity to take reasonable steps to resolve any breach by the HIPAA BA if and when they become aware of one (if this is unsuccessful, the covered entity is required to terminate the contract with the business associate); and
  • report the event to the OCR if terminating the contract with the business associate is impossible.

With these new regulations in mind, a HIPAA Business Associate agreement should explicitly spell out how a BA will report and respond to a data breach. This also includes data breaches that are caused by a BA’s subcontractors. In addition, a HIPAA Business Associate agreement should require a BA to illustrate in a work process how they would respond to an OCR investigation.

Software or email platforms can never be fully HIPAA compliant, as compliance is not so much about the technology but how it is used. With that said, software and email services can support HIPAA compliance. To support HIPAA compliance, an email system must include a range of security features to ensure that information uploaded to or transmitted through the service can be done so securely, without risking exposure or interception of sensitive data.

Now that that we have an understanding of what is required for HIPAA compliance, let’s consider how Microsoft plans stack up.

So, is Microsoft 365 HIPAA compliant?

Microsoft supports HIPAA compliance for its Office suite of products and enters into Business Associate agreements with healthcare organizations for Enterprise versions of Office 365 and Microsoft 365. However, in order to meet all requirements of HIPAA, it is essential that you purchase the right package. An important part of HIPAA compliance is maintaining audit logs, which are not available in all Microsoft 365 plans for business.

Microsoft 365 and the associated Microsoft Exchange Online service can be HIPAA compliant and are covered by the BAA; however, care must be taken to configure these services correctly, and additional controls are required before Microsoft Outlook can be considered HIPAA compliant. Microsoft offers enterprise-level encryption, Microsoft Exchange Online Protection, data loss prevention (DLP), and the ability to wipe data on mobile devices. Outlook can be HIPAA compliant, provided that:

  • these services are used and configured correctly;
  • access controls are set up;
  • audit logs are maintained;
  • single sign-on and two-factor authentication are enabled;
  • data backups are performed; and
  • staff receive training on the use of email for communicating ePHI.

Note that simply obtaining a Business Associate agreement with Microsoft will not by itself ensure compliance with HIPAA rules, as Microsoft has stated itself:

“By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.” – Microsoft Corporation

Customers who have an online service agreement with Microsoft do not need to sign up or take any action to sign a HIPAA BAA, since the BAA is already offered to all relevant customers in the Online Services Terms.

For more information on making Microsoft 365 HIPAA compliant, click here.