How to Make Office 365 HIPAA Compliant

How to Make Office 365 HIPAA Compliant

The way to make Office 365 HIPAA compliant is to subscribe to an Office 365 plan that supports HIPAA compliance, configure the products and services to comply with the Security Rule, and train members of the workforce how to use the products and services in compliance with HIPAA.

If you are already a Microsoft customer and intend to use Office 365 products and services to create, receive, store, and/or transmit Protected Health Information, it will also be necessary to enter into a Business Associate Agreement (BAA) with Microsoft. The BAA for new customers is executed automatically when you sign the Office 365 Service Contract.

Why Make Office 365 HIPAA Compliant?

If you qualify as a HIPAA covered entity or a business associate, you are required to comply with the applicable standards of the HIPAA Administrative Simplification Regulations. If – as a HIPAA covered entity or business associate – you create, receive, store, and/or transmit Protected Health Information (PHI), the services you use for these activities must be HIPAA compliant.

This means that if you use Office 365 products and services such as Microsoft Teams, Skype, OneDrive, and/or Outlook for HIPAA regulated activities, you must make Office 365 HIPAA compliant. If you fail to make Office 365 HIPAA compliant, not only would you be in violation of HIPAA, but you could be fined if your non-compliance with HIPAA results in a data breach.

What Does Office 365 HIPAA Compliance Consist Of?

Office 365 HIPAA compliance consists of subscribing to an Office 365 or Microsoft 365 plan that has the capabilities to support your organization’s compliance with HIPAA. In practice this means conducting a risk assessment to identify reasonably anticipated threats to PHI or impermissible disclosures of PHI that would result from using an Office 365 product or service.

Taking into account any existing security measures in place to mitigate threats and impermissible disclosures, it is then necessary to compile an Office 365 HIPAA compliance checklist and compare the plans which support HIPAA compliance against the checklist – adding Office 365 compliance and security add-ons where necessary to fill any gaps.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Configuring HIPAA Compliance for Office 365

Because of the range of potentially suitable plans, products and services, and add-ons, there is no single guide to configuring HIPAA compliance for Office 365. System administrators that encounter challenges can refer to the help pages in the Microsoft Admin Center, reach out to customer support, or speak with a compliance professional with experience of Office 365.

Once you feel you have configured Office 365 to support compliance with HIPAA, it is advisable to confirm the settings by using the Compliance Manager. The Compliance Manager will provide you with a compliance score and make recommendations about how to improve the score. You can also use the Compliance Manager to create user policies and monitor user compliance.

A Note about Office 365 Email Security

One of the most common causes of HIPAA data breaches is email. Users can be tricked into interacting with a phishing link, download malware from an infected attachment, or send PHI to an unauthorized recipient in error. Office 365 email security can prevent most email-related HIPAA data breaches via the Defender for Office 365 add-ons (included in Office 365 Plan E5).

There is a choice of two Defender for Office 365 add-ons. Both have “Safe Links” and “Safe Attachments” capabilities, while the second of the add-ons also includes automated response capabilities and attack simulation training. Data Loss Prevention policies that can mitigate the risk of PHI being sent to unauthorized recipients can be created in the Compliance Manager.

Why Workforce Training May be Necessary

The final stage of making Office 365 HIPAA compliant is training members of the workforce how to use the products and services in compliance with HIPAA. The training may be necessary to reinforce policies about permissible uses and disclosures of PHI or the minimum necessary standard, or just to remind users not to include PHI in file names or the subject lines of emails.

HIPAA training on how to use Office 365 in compliance with HIPAA is additional to the security awareness training that has to be provided to all members of the workforce, and should be provided before the organization uses Office 365 to create, receive, store, and/or transmit PHI and whenever the Compliance Manager identifies non-compliance with an Office 365 policy.

Is Office 365 HIPAA Compliant? FAQs

Which Office 365 services are covered by the Microsoft BAA?

The Microsoft BAA includes a link to a page dedicated to HIPAA and HITECH compliance. On this page, there is a list of “in-scope services” covered by the BAA. Please note, some of the “in-scope services” (i.e., Office Pro Plus) include multiple products, so if you don´t see a specific product listed, you may have to look deeper into each service.

Does this mean some Office 365 services might not be covered by a BAA?

The potential exists for services to be included in an Office 365 subscription plan that covered entities are unable to use to create, store, and transmit ePHI. However, in most cases, the services not covered by Microsoft´s BAA would likely not be used for creating, storing, and transmitting ePHI. (Note: some services are in the process of being certified to support HIPAA compliance).

How do I know if Office 365 services are configured in compliance with HIPAA?

Microsoft offers a “Compliance Manager” service which assesses the controls currently being used and recommends improvements where necessary. The Compliance Manager service is included in the in-scope services of Microsoft´s BAA and can be customized to assess controls for HIPAA compliance or for any other regulatory requirements the organization may be subject to.

Are there any specific HIPAA compliance policies for Office 365?

All HIPAA compliance policies should be developed based on the analysis of a risk assessment. However, with regards to HIPAA compliance policies for Office 365, covered entities may wish to remind users not to enter ePHI in directories, address books, and global address lists, not to share ePHI in troubleshooting or support conversations with Microsoft, and not reference ePHI in file names, email headers, or publicly accessible SharePoint locations.

With regards to emails, is Outlook covered by a Microsoft BAA?

Outlook is part of the Office Pro Plus suite of products and therefore covered by a Microsoft BAA. However, before using Outlook to send or receive communications containing ePHI, covered entities must ensure the correct encryption mechanisms are in place to secure ePHI at rest and in transit, and that users are reminded of the Minimum Necessary Standard in all communications.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: