Microsoft will agree to completing a business associate agreement (BAA) with HIPAA covered bodies for Office 365 and Microsoft Dynamics CRM Online, once the latter is bought through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also includes the use of the Microsoft Azure cloud platform.
Microsoft does not require that a BAA be obtained before using Office 365, as the BAA is automatically made available to clients with an online service contract. However, HIPAA covered bodies must obtain a BAA prior to use of Office 365 in conjunction with any electronic protected health information (ePHI). They should also include an administrative contact. Should a security breach occur, the administrative contact will be alerted of a breach by Microsoft.
While there are businesses that provide HIPAA certification to confirm that a company or product complies with HIPAA Rules, there is no official certification recognized by the HHS’ Office for Civil Rights or other federal bodies. However, Microsoft has completed independent audits under ISO 27001 which include assessments of security practices recommended by the HHS. Office 365 has been ruled as having all necessary privacy and security controls to adhere with HIPAA requirements.
Security and Office 365
All data saved to or stored on Microsoft servers is secured encryption and any data sent outside of Microsoft facilities is also encrypted. However, packet headers and message headers are not encrypted.
Once ePHI is not entered into the subject line of emails, the names of files included with to emails, or is used in the to and from fields of emails, email can be used safely and in line with HIPAA rules.
Microsoft Office 365 meets HIPAA auditing requirements and logs of access to stored data are kept. Reports on access logs can be downloaded from Microsoft on request.
Microsoft provides 2-factor authentication to stop Office 365 and Outlook email accounts from being accessed if a password is stolen and an unfamiliar device attempts to log into an account.
Can Microsoft Office 365 be Considered HIPAA Compliant?
Once a HIPAA-covered body has completed a business associate agreement with Microsoft, Office 365 can be used in a fashion compliant with HIPAA Rules.
While all necessary privacy and security controls have been put in place by Microsoft to ensure that Office 365 can be used by HIPAA-covered bodies while remaining compliant with HIPAA and the HITECH Act, use of Office 365 does not guarantee compliance, even if a BAA has been received from Microsoft.
It is the responsibility of covered groups to ensure access controls are configured properly, administrator access tracking is enabled, Microsoft Dynamics CRM Online for supported devices is turned off, access control reports are obtained and checked constant;y, and all users are shown how to use Office 365 in a manner compliant with HIPAA Regulations.