Is Microsoft Outlook HIPAA Compliant?

Software programs or email services cannot be completely HIPAA compliant, because technology is not just the issue but how it is used. Having said that, software and email services could support HIPAA compliance provided that there are security features that allow storage or transmission of sensitive data without compromising it. The service provider must also be ready to enter into a business associate agreement (BAA) with HIPAA-covered entities. By doing so, it is agreeing to comply with the HIPAA, Privacy, Security, and Breach Notification Rules requirements.

Many of Microsoft’s services are already well suited for the use of healthcare providers with the signing of a BAA. Take note that the BAA does not cover all the software and services offered by Microsoft. So, does it include Outlook? Is Microsoft Outlook HIPAA compliant? Can healthcare organizations use it for sending messages with protected health information? Well, that depends on the version of Outlook you have and how you make use of it.

Outlook.com is a free of charge, web-based email platform that look much like the Outlook product offered as part of the Office 365 bundle, but it isn’t the same product. Outlook.com is a product for consumers and wasn’t designed for businesses and should never be used by healthcare institutions, at least not for transmitting ePHI.

The Microsoft Office 365 suite of products support HIPAA compliance. Microsoft will enter into a business associate agreement with healthcare establishments that use the enterprise version of Office 365; but, so as to satisfy all HIPAA requirements you will need to buy the right package. An essential part of HIPAA compliance is having audit logs. Office 365 for Business does not have audit logs. HIPAA compliance is supported for particular enterprise plans only, and all the features needed for HIPAA compliance are just offered in the Enterprise E3 and E5 plans.

Office 365 and the related Microsoft Exchange Online service may be HIPAA compliant and are included in the BAA; but, proper care should be taken in configuring these services. Extra controls are needed before Office 365 Outlook could be HIPAA compliant. Microsoft has the following features:

  • enterprise-level encryption
  • data loss prevention (DLP)
  • Microsoft Exchange Online Protection
  • capability to erase data on mobile gadgets

Unless these featured services are utilized and configured properly — access controls are established, audit logs are retained, single sign on and two factor authentication are activated, data backups are executed — and staff are trained on how to use email for communicating ePHI, Outlook could be HIPAA compliant. Just getting a business associate agreement with Microsoft is not enough to ensure HIPAA compliance.

Microsoft is willing to sign a BAA however MS clearly expresses that just having a BAA is not a guarantee of compliance with HIPAA Rules. “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Find Microsoft assistance on making Office 365 (Exchange Online) HIPAA compliant on this resource.