Is Office365 HIPAA Compliant?

Microsoft Office 365 may be HIPAA compliant under certain circumstances, covered entities must be extremely careful, taking proactive measures in order to ensure they do not unintentionally violate HIPAAs Privacy Rule

Office 365, Outlook, and HIPAA Compliance

Outlook 365 icon with security lockLike many technologies, Office 365 makes it easier to exchange information electronically. If your organization is a so-called “covered entity” subject to HIPAA, it's critical that you fully understand the nuances of the law in order to remain in compliance. Ignorance of the law is no excuse, — and in the case of electronic communications, ignorance of the fine points of the underlying technology will not be an adequate defense if your organization is found to have violated patient privacy.

First, it's important to distinguish between the various e-mail services that Microsoft provides

  • is a free service for personal e-mail, formerly known as Hotmail and is not HIPAA compliant, so covered entities should avoid using it altogether.
  • The Outlook desktop application is part of Microsoft Office. It can be HIPAA compliant under certain conditions, provided it's connecting to an e-mail provider that is HIPAA compliant, and that the covered entity has a signed Business Associate Agreement in effect with that provider.
  • Office 365 is Microsoft's subscription-based service which includes Outlook for e-mail. There are various subscription levels for Office 365. To remain HIPAA compliant, you'll need to have a “Business Premium” account, which includes necessary features such as archiving and encryption.

Critical Steps Required to Make Office 365 HIPAA Compliant

Assuming you're already signed up with an Office 365 account, you'll need to implement several additional measures to make it HIPAA compliant.

First, you'll need a signed Business Associate Agreement (BAA). Microsoft offers a standard agreement for covered entities. Needless to say, there's no flexibility built into that agreement; it's a “take it or leave it” proposition. For covered entities that prefer a custom BAA, this won't be a good option. If you go looking for Microsoft's standard BAA, be patient as it can be difficult to find.

That's only the first step, though. As Microsoft's FAQ says, “By offering a Business Associate Agreement, Microsoft helps support your HIPAA compliance. However, using Microsoft services does not on its own achieve HIPAA compliance. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Microsoft services aligns with your obligations under HIPAA and the HITECH Act.”

Translation: You're on your own. Here are some additional steps you'll need to take to make Office 365 HIPAA-compliant:

HIPAA requires covered entities to implement something called “access management” which enables administrators to limit data access for various employees based on their roles. Access management can track which employees have accessed which specific data and how frequently they did so. Covered entities need to turn on Office 365's audit log capabilities to ensure they have records of such activities.

Lastly, you'll need to set up 2-factor authentication (2FA) to protect your data from being accessed by unauthorized parties. 2FA offers an additional measure of security by requiring users to prove their identity using a code sent via text message, or a six-digit code that changes dynamically every 30 seconds. It is required in order to be covered under Microsoft's standard BAA.

If Users Aren't Careful, HIPAA Violations May Occur

Even if you have done everything in your power to set up Office 365 correctly, you still need to be careful. For example, Microsoft's end-to-end encryption protects any data that is stored or uploaded to their cloud server, as well as data “in transit.” However, filenames, subject lines, and message headers are not encrypted. If your users inadvertently include protected health information in these fields, it could result in a HIPAA violation.

If you want to avoid these kinds of headaches altogether, it's best to seek out more secure methods of sending and receiving PHI. HIPAA-compliant Secure Cloud Fax is a tried-and-true method of exchanging PHI safely. HIPAA-compliant Healthcare Fax from WestFax meets the highest standards for security in the industry, with high-level encryption, 24x7 security at our data centers, plus video surveillance and secure access control.

Westfax makes communication easy. Users can send and receive faxes from a desktop or laptop computer, a mobile device, a multi-function printer/copier/fax machine, or even a mobile device. WestFax also offers a Fax API that makes it easy to embed fax capabilities into your software. Be careful, though: Not all fax services are HIPAA compliant, and not all fax providers will sign a custom Business Associate Agreement (BAA). Westfax will.

If you're looking for the most secure way to send and receive PHI and avoid the uncertainties and complexities of Office 365, WestFax can help. We offer expert advice and can tailor a HIPAA-compliant healthcare fax solution to meet your unique needs. Contact us today.

Discover more