Is Office 365 HIPAA Compliant?

Is Office 365 HIPAA compliant? Can healthcare organizations use Office 365 in connection with protected health information (PHI) without violating HIPAA Rules? In this post we explain whether Office 365 is HIPAA compliant and the steps that must be taken before any Office 365 product can be used with PHI.

Microsoft Office 365 is one of the most widely adopted software-as-a-service offerings for businesses. It consists of a suite of apps and services, including Microsoft Office solutions such as Word, Excel, PowerPoint, Access, and Outlook email. According to Microsoft’s Q1 FY19 figures released in October 2019, there are 155 million active Office 365 users and that figure is growing at a rate of around 3 million per month.

Microsoft Office 365 has been adopted by many healthcare organizations, but that does not necessarily mean that Office 365 is HIPAA compliant. Microsoft does support HIPAA compliance and Office 365 can be used in connection with protected health information without violating HIPAA Rules, but not all packages provided by Microsoft meet the requirements of HIPAA.

Office 365 Business is not a HIPAA compliant package as HIPAA requires audit logs to be created and maintained, and this option is not available with Office 365 Business. Audit logs are available with Office 365 Business Essentials and Office 365 Business Premium, so both of these packages can be HIPAA compliant. The Enterprise offerings – Office 365 Enterprise E1, Office 365 Enterprise E2, and Office 365 Enterprise E3 – can also be HIPAA compliant.

Provided a healthcare organization or business associate of a HIPAA-covered entity has one of the above “compliant” packages, and the company has obtained a signed business associate agreement from Microsoft that covers Office 365, Office 365 products can be used in connection with protected health information.

However, even with a BAA and the correct package, Office 365 is not HIPAA compliant by default. Microsoft explains that it is the responsibility of a HIPAA-covered entity or HIPAA business associate to ensure that an adequate compliance program is in place and that the use of Microsoft products aligns with the requirements of HIPAA and the HITECH Act. Microsoft, as a HIPAA business associate, has ensured that its solutions are compliant, but it is still possible to use them in a manner that is not compliant with HIPAA. It is the responsibility of each covered entity and business associate to ensure that they are in compliance with HIPAA.

That means setting up access controls, ensuring an audit trail is maintained, backing up files containing protected health information, and ensuring staff are trained on the use of Office 365 products and employees are aware of their responsibilities with respect to PHI.

Appropriate security must also be applied, including single sign-on, multi-factor authentication, and cybersecurity solutions such as spam filters are used, either third-party solutions or Microsoft Exchange Online Protection (EOP) and Advanced Threat Protection (APT) for email.

Provided a BAA has been obtained, the correct package is purchased, and all products in the Office 365 suite are configured and used correctly, Office 365 is HIPAA compliant.