Is Microsoft Teams HIPAA Compliant?
Microsoft Teams is popular among businesses who use it to improve communication and collaboration, but can it be used in healthcare? Does Microsoft Teams support HIPAA compliance?
Microsoft Teams is a unified communication tool that has many useful features such as workplace chat, file sharing capabilities, and a web conferencing function. It can be used with various applications to enhance communication and collaboration between employees and business partners.
Microsoft Teams is based on Office 365 (Click for more information on Office 365 and HIPAA compliance) and Microsoft supports HIPAA compliance for Office 365, but that does not necessarily make Microsoft Teams HIPAA compliant.
Is Microsoft Teams HIPAA Compliant?
It is stated in the security compliance section of Microsoft’s website that Microsoft Teams provides innovative security and compliance and it is listed in the Tier-D compliance category. This category of services have security controls activated by default and meet the standards demanded by SSAE16, SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, and EU Model Clauses (EUMC). Tier D services have also passed the HITRUST CSF Assurance Program Assessment.
Microsoft Teams includes security features such as access controls, single sign-on, two-factor authentication, and the platform saves audit logs. All data uploaded to or created through Microsoft Teams are encrypted at rest and in transit and are stored on protected servers in North America.
With respect to security, Microsoft Teams complies with HIPAA Security rule requirements (provided it is configured to log users out of of the system after a period of inactivity), but before HIPAA-covered entities can use this platform along with any ePHI, they must first enter into a business associate agreement (BAA) with Microsoft. Microsoft will sign a BAA with HIPAA covered entities.
Provided a signed BAA is obtained, Microsoft Teams may be regarded as a HIPAA-compliant collaboration platform; nonetheless, it is the HIPAA-covered entity’s responsibility to make sure the platform is utilized in way that is HIPAA-compliant.