Is Microsoft Office 365 HIPAA Compliant?

Office 365 is a collection of subscription products from Microsoft that include Word, Excel, PowerPoint, OneNote, Publisher, Outlook and Access. Many companies use Office 365, but is it acceptable for healthcare organizations to use Office 365. Can Office 365 be used without violating HIPAA and HITECH Act Rules?

HIPAA covered entities that buy Office 365 via the Volume Licensing Programs or through the Dynamics CRM Online Portal can enter into a business associate agreement (BAA) with Microsoft. Microsoft enters into an online service contract with users of its Office 365 products, and this occurs automatically. However, this does not constitute a BAA. HIPAA covered entities must have a signed BAA before they use Office 365 with any electronic protected health information (ePHI) in order to be HIPAA-compliant.

Provided healthcare organizations enter into a BAA with Microsoft for Office 365, it can be considered HIPAA compliant as it incorporates all the required privacy and security controls and meets HIPAA requirements. Microsoft retains access logs which may need to be provided in the event of an audit. Reports on access logs are available upon request from Microsoft.

Files uploaded to Microsoft servers and data transmitted from Microsoft facilities are protected by encryption, but not message headers and packet headers. It is safe to use Outlook for emails as long as ePHI is not put on the email subject line, used to name attached files, or is added in the to and from fields.

When accessing Office 365 and Outlook email accounts, two-factor authentication should be set up to prevent the account from being accessed by an unauthorized individual.Should login credentials be compromised, 2-factor authentication will help to ensure the account cannot e accessed from an unfamiliar device or location.

So, ‘Is Microsoft Office 365 HIPAA compliant?’ It may be deemed as compliant so long as a business associate agreement is obtained from Microsoft. Office 365 provides the appropriate privacy and security controls to meet HIPAA and HITECH Act requirements, but is the covered entity’s responsibility to set up and use Office 365 in a manner that complies with HIPAA Rules. Users should be trained on the allowable uses and disclosures of PHI, and how they apply to Office 365. Administrators should also enable access logs and they should be monitored on a regular basis. .