Can Hotmail Be Considered as HIPAA Compliant?
Hotmail cannot be considered HIPAA compliant for sending or receiving emails containing PHI unless a userโs Hotmail account is connected to a Microsoft 365 or Office 365 Enterprise account that supports HIPAA compliance and is configured to comply with the Security Rule. However, it is permissible to send emails to a Hotmail account if an individual has requested โconfidentialโ communications via Hotmail.
Hotmail.com was retired by Microsoft in 2012 and rebranded as Outlook.com. Hotmail users were allowed to keep their Hotmail email addresses and can continue to use their accounts via the Outlook extension, the Outlook app, or an email platform such as Thunderbird. However, neither the free version of Hotmail nor the free version of Outlook contains the security and administrative controls to be considered HIPAA compliant.
This means it is not permissible for HIPAA covered entities or business associates to create, receive, maintain, or transmit Protected Health Information (PHI) using a free version of the email service. In order for Hotmail to be considered HIPAA compliant, the account has to be connected to a Microsoft 365 or Outlook 365 account that supports HIPAA compliance. Covered entities and business associates must also agree to the terms of Microsoftโs BAA.
In addition to connecting a Hotmail account to an appropriate Microsoft 365 or Outlook 365 ย account, the Microsoft 365 or Outlook 365 account has to be configured to support HIPAA compliance. The process for configuring โin-scopeโ services to support HIPAA compliance varies depending on which services are being used with Hotmail/Outlook, but Microsoft provides plenty of help in the community and support areas of its website.
Get the FREE
HIPAA Compliance
Email Checklist
Learn How To Prevent All Email Related HIPAA Violations
Immediate Access
Sending PHI to a Free Hotmail Account
Although it is not possible for covered entities to create, receive, maintain, or transmit PHI using a free Hotmail account, there is a scenario in which it is permissible to send PHI to a free Hotmail account. This scenario exists when an individual (i.e., patient or plan member) exercises their right to request confidential communications under ยง164.522(b) of the Privacy Rule. As this is a โreasonable requestโ, it should be accommodated by covered entities.
If the request is agreed to, it is a best practice to advise the individual of the risks of receiving PHI in unencrypted emails and document the warning. Further best practices when sending PHI to a free Hotmail account include verifying the recipientโs email address before sending communications containing PHI, not writing PHI in the subject line of an email, and ensuring disclosures of PHI are kept to the minimum necessary to fulfil the purpose of the email.
Due to the decreasing number of Hotmail accounts in existence, this scenario will become less likely over time. However, it is important for workforce members to receive HIPAA training on the procedures and best practices for sending unencrypted PHI in emails to comply with individualsโ requests due to the number of alternative free email services that exist (i.e., Outlook, Gmail, Yahoo, etc.). Organizations that require help with the provision of training should seek professional HIPAA compliance advice.