Microsoft Outlook & HIPAA Compliance
Software or an email platform can never be completely HIPAA compliant, as compliance is not so much about the technology but how it is implemented. Even so, software and email services can achieve HIPAA compliance. In order for an email service to be HIPAA compliant, it must include a variety of security features to ensure that any information uploaded to and shared through the service can be done so safely, without risking the exposure or the interception of sensitive data.
The platform provider must also be willing to sign a business associate agreement with HIPAA-covered groups, and by doing so, agree to comply with the requirements of the HIPAA, Privacy, Security, and Breach Notification Rules.
Microsoft has already taken measures toward making many of its services suitable for healthcare suppliers by agreeing to complete a business associate agreement. Crucially for healthcare groups, the BAA does not cover all of Microsoft’s software and services.
Outlook.com is a free to use, web-based email platform that may seem similar to the Outlook product available as part of the Office 365 package, but it is not the same service. Outlook.com is a consumer product and has not been developed for companies and should not be used by healthcare groups, at least not for sharing ePHI.
Microsoft supports HIPAA compliance for its Office 365 suite of products, and will complete a business associate agreement with healthcare groups for the enterprise version of Office 365; however, in order to meet all requirements of HIPAA it is important to buy the right package. A vital part of HIPAA compliance is maintaining audit logs, which are not available in Office 365 for Business. HIPAA compliance is only supported for specific enterprise plans, and all of the features necessary for HIPAA compliance are only available in the Enterprise E3 and E5 plans.
Office 365 and the associated Microsoft Exchange Online service can be HIPAA compliant and are included in the BAA; however, care must be taken to set up these services correctly and additional controls are needed before Office 365 Outlook can be HIPAA compliant. Microsoft provides enterprise-level encryption, Microsoft Exchange Online Protection, data loss prevention (DLP), and the ability to erase data on mobile devices. Once these services are used and configured properly, access controls are set up, audit logs are kept, single sign on and two factor authentication is turned on, data backups are completed, and staff receive training on the use of email for sending ePHI, Outlook can be HIPAA compliant. Simply completing a business associate agreement with Microsoft will not, on its own, ensure compliance with HIPAA Rules.
Microsoft will complete a BAA but clearly outlines that simply having a BAA does not guarantee compliance with HIPAA Rules. It says: “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”