The question of whether or not Office 365 is HIPAA compliant has recently been clouded by the rebranding of Office 365 to Microsoft 365 and the repackaging of several subscription plans with different services and features than before.
Microsoft/Office 365 is used by many healthcare organizations and covered entities, but that does not necessarily mean Office 365 is HIPAA compliant. Although Microsoft does support HIPAA compliance, and Office 365 can be used without violating HIPAA Rules, not all Microsoft/Office 365 services meet the requirements of HIPAA in all subscription plans.
A prime example of this issue is Skype for Business Online. Although this service is included in multiple subscription plans, it is only HIPAA-compliant under the E3 and E5 subscription plans as these plans contain the necessary access, audit, and automatic log-off controls to comply with the Technical Safeguards of the HIPAA Security Rule.
Similar issues exist with other meeting, call, and chat apps, and also with Microsoft 365 social, intranet, and storage services; which not only have to have the appropriate security controls in place to be used in compliance with HIPAA, but also have to be configured to ensure compliance with document retention, archiving, and eDiscovery requirements.
Compliance Doesn´t Depend on Technology Capabilities
It is important to note that even if a covered entity subscribes to an E3 or E5 plan, it is no guarantee of HIPAA compliance. Compliance with HIPAA does not depend on technology capabilities, but how the technology is configured and used. Therefore, rather than asking is Office 365 HIPAA compliant, covered entities should be asking is our use of Office 365 HIPAA compliant.
The way to answer this question is to conduct a risk assessment of the Office 365 services being used to create, store, or transmit ePHI and determine if the controls provided by Microsoft are sufficient to prevent unauthorized access and the loss or theft of data, and to maintain the integrity of ePHI. Covered entities should then enforce policies that govern the compliant use of Office 365 on Office 365 services that have adequate safeguards to comply with HIPAA.
It is also necessary to sign a Business Associate Agreement (BAA) with Microsoft to be in compliance with HIPAA. Because Microsoft provides services to many different types of healthcare organizations and covered entities – each with their unique requirements – the company insists of the use of its own BAA rather than a BAA prepared by the covered entity to ensure a consistent service. You can download and review the Microsoft BAA from the Microsoft website.
Office 365 FAQs
Which Office 365 services are covered by the Microsoft BAA?
The Microsoft BAA includes a link to a page dedicated to HIPAA and HITECH compliance. On this page, there is a list of “in-scope services” covered by the BAA. Please note, some of the “in-scope services” (i.e., Office Pro Plus) include multiple products, so if you don´t see a specific product listed, you may have to look deeper into each service.
Does this mean some Office 365 services might not be covered by a BAA?
The potential exists for services to be included in an Office 365 subscription plan that covered entities are unable to use to create, store, and transmit ePHI. However, in most cases, the services not covered by Microsoft´s BAA would likely not be used for creating, storing, and transmitting ePHI. (Note: some services are in the process of being certified to support HIPAA compliance).
How do I know if Office 365 services are configured in compliance with HIPAA?
Microsoft offers a “Compliance Manager” service which assesses the controls currently being used and recommends improvements where necessary. The Compliance Manager service is included in the in-scope services of Microsoft´s BAA and can be customized to assess controls for HIPAA compliance or for any other regulatory requirements the organization may be subject to.
Are there any specific HIPAA compliance policies for Office 365?
All HIPAA compliance policies should be developed based on the analysis of a risk assessment. However, with regards to HIPAA compliance policies for Office 365, covered entities may wish to remind users not to enter ePHI in directories, address books, and global address lists, not to share ePHI in troubleshooting or support conversations with Microsoft, and not reference ePHI in file names, email headers, or publicly accessible SharePoint locations.
With regards to emails, is Outlook covered by a Microsoft BAA?
Outlook is part of the Office Pro Plus suite of products and therefore covered by a Microsoft BAA. However, before using Outlook to send or receive communications containing ePHI, covered entities must ensure the correct encryption mechanisms are in place to secure ePHI at rest and in transit, and that users are reminded of the Minimum Necessary Standard in all communications.