Microsoft Teams is HIPAA compliant and can be used to collect, save, share, or export protected health information provided the platform is used as part of a business plan that supports HIPAA compliance and is configured to comply with the implementation specifications of the Security Rule. It will also be necessary for Security Officers to agree to and electronically sign Microsoft’s Business Associate Agreement.
Microsoft Teams is an advanced communications platform with multiple capabilities and integrations. Businesses can choose from a range of standalone Teams subscription options starting with the feature-limited free option, or subscribe to an Office 365 business plan, a Microsoft 365 business plan, or the Microsoft Cloud for Healthcare service – all of which have Microsoft Teams included.
However, businesses need to take care with which option they choose if the platform is going to be used to collect, store, share, or transmit Protected Health Information (PHI). This is because not all the options support HIPAA compliance by default, and it may be necessary to subscribe to an additional “security” or “compliance” add-on to make Microsoft Teams HIPAA compliant.
Which Teams Plans Support HIPAA Compliance?
Subject to other security mechanisms already deployed on users’ devices (i.e., authentication controls, automatic log-off, etc.) the Microsoft 365 Basic and Standard Business Plans for Teams can be configured to support HIPAA compliance. So too can the Office 365 E3 and E5 plans, and the Microsoft 365 E3, E5, F3, and F5 plans – in some cases also subject to other security mechanisms.
Probably the most complete solution for businesses wishing to use Teams to collect, store, share, or transmit PHI is the Microsoft Cloud for Healthcare. This premium package claims to improve clinical and operational insights, empower health team collaboration, and enhance patent engagement; but the cost includes a number of capabilities not all healthcare providers may be able to use.
Microsoft BAA is Automatic for Qualifying Plans
A further condition that has to be fulfilled to make Microsoft Teams HIPAA compliant is a Business Associate Agreement (BAA). Microsoft has a standard BAA which is automatically entered into with a Covered Entity when a Covered Entity subscribes to a qualifying plan or the Microsoft Cloud for Healthcare service. While this makes the BAA process easier, there are potential issues.
Three potential issues are immediately apparent. Covered Entities are not permitted to store PHI in any directory information maintained in an in-scope service, Microsoft will not respond to customer right of access requests, nor report “unsuccessful” security incidents – contrary to §164.314. Other issues may exist depending on the nature and security of Covered Entities’ operations.
Configuring and Using Microsoft Teams
Even with a Microsoft Teams plan that supports HIPAA compliance and a BAA, it is still necessary to configure and use the platform compliantly to avoid HIPAA violations. The complexity of configuring Microsoft Teams to be HIPAA compliant depends on the capabilities of the plan and what other services have been integrated with the platform, as these also have to be configured compliantly.
The compliant use of Microsoft Teams is usually relative to the quality of HIPAA training and users’ judgement about when communications with patients may not be confidential. Anecdotal evidence suggests there are many occasions when patients do not appreciate the effort put into maintaining the privacy of their individually identifiable health information!
Is Microsoft Teams HIPAA Compliant? Conclusion
Microsoft Teams can help Covered Entities and Business Associates be HIPAA compliant, but it depends on which plan is subscribed to, the acceptance of Microsoft’s BAA, the complexity of configuration, and compliant use. Undoubtedly, Microsoft Teams is one of the most advanced communication platforms on the market. Whether the cost and complexity of the platform is suitable for every Covered Entity or Business Associate will depend on organizations’ other compliance requirements and the measures already in place to comply with those requirements.