Microsoft Outlook HIPAA Compliance

April 12, 2024Thomas BrownHIPAA News0

For users of Microsoft Outlook, HIPAA compliance consists of subscribing to a suitable plan, agreeing to the terms of Microsoft’s Business Associate Agreement, configuring Outlook to comply with HIPAA, and training members of the workforce to use the email service compliantly.

Microsoft Outlook is a popular email service that can be used for free by personal users or as part of a paid-for package of productivity, collaboration, and communication tools by businesses. For businesses in the healthcare and health insurance industries, the paid-for packages of tools have to comply with all applicable standards of HIPAA if they are used to create, receive, store, or transmit Protected Health Information (PHI).

As email is frequently used for healthcare transactions that use or disclose PHI, it is difficult to think of many scenarios in which it would be possible to operate efficiently with a HIPAA compliant email service. Fortunately, for healthcare and health insurance businesses that use Microsoft Outlook, HIPAA compliance is not difficult to achieve.

Subscribe to a Suitable Plan

Microsoft Outlook is included in most Office 365, Microsoft 365, Windows 365, and Dynamic 365 business plans. Choosing the most suitable plan consists of conducting a risk assessment to identify threats and vulnerabilities to PHI, and comparing each plan’s capabilities against the threats and vulnerabilities to see which best mitigates the risk of a data breach.

If there is no exact match between what capabilities are required and the capabilities of a specific plan, it is possible to subscribe to a less expensive plan and purchase security and compliance add-ons. This is generally more cost-effective than subscribing to a plan that includes products and services that will never be used (but will still be paid for).

Review the Terms of the BAA

When a HIPAA covered entity or business associate subscribes to a Microsoft business plan, if the service agreement includes an Online Services Data Protection Addendum (which is likely for most businesses), Microsoft’s Business Associate Agreement (“BAA”) is automatically entered into upon execution of the service agreement.

Microsoft’s Business Associate Agreement is a standard Agreement containing details of Microsoft’s responsibilities and the customer’s obligations towards PHI. However, covered entities and business associates are advised to obtain a copy of the BAA and review it in advance of committing to a subscription for a Microsoft business Plan.

Configure Outlook to Comply with HIPAA

Disappointingly, what help there is to help system administrators configure Outlook to comply with HIPAA is very limited. System administrators with little experience of Outlook are advised to seek assistance from the online Admin Center. Alternatively, it may be possible to obtain help from Microsoft’s customer support depending on the type of plan.

Once Outlook has been configured to comply with the applicable standards and implementation specifications of the Security Rule and mitigate the threats and vulnerabilities identified in the risk assessment, system administrators can test the effectiveness of their configuration settings via the Purview Compliance Manager.

Training Members of the Workforce

While the Purview Compliance Manager can prevent most accidental disclosures of PHI, it cannot prevent them all. Members of the workforce must receive HIPAA training on topics such as permissible uses and disclosures of PHI and the minimum necessary standard to ensure Microsoft Outlook is used compliantly when sending emails containing PHI.

HIPAA training on Microsoft Outlook HIPAA compliance should also include refraining from including PHI in the subject line of emails (because the subject line is not encrypted when emails are in transit) and refraining from including PHI with individuals’ contact details (as the contents of the contacts file is not covered by the BAA).