Microsoft Office365 and HIPAA
Office 365, is arguably the most widely used suite of subscription-based products from Microsoft which includes Word, Excel, Outlook, PowerPoint, Access, Publisher, and OneNote. Since this group of applications is among the most popular on the market, many healthcare organizations have been prompted to ask whether Office 365 products are HIPAA compliant, and therefore can be used without presenting any risk to the protected health information (PHI) that they handle. We will answer every detail of that question for you below!
Can Office 365 Be Made HIPAA Compliant?
Yes! Luckily Office 365, Azure, and SharePoint are all systems that can be used in a HIPAA Compliant manner and can be used by healthcare organizations of all kinds - covered entities and business associates included. They have undergone independent ISO 270001 audits regularly which have verified their implementation of the necessary controls in order to comply with HIPAA. Knowing that Microsoft has taken the steps necessary to become compliant allows HIPAA-compliant organizations to feel confident entering into partnerships with them and their products given that a few steps are taken beforehand.
A Quick BAA Reminder…
It is important to keep in mind that before you, as a HIPAA compliant organization, choose to work with any other individual or company in a way that may allow them access to any of the PHI that you store, transmit, or create, then you need to have a business associate agreement in place with them. A business associate agreement, or BAA, is a legal contract between a healthcare provider and a separate individual or organization that will receive access to PHI as part of its services for the provider. Essentially a BAA exists so that each party is kept responsible and liable for their handling and protection of the patient information that they are required under HIPAA to keep secure. BAAs are mandated by HIPAA under the Security Rule but they are also important in order to protect your practice from liability in the event of a breach on your vendor’s behalf.
How does Microsoft handle BAAs?
Microsoft does offer a Business Associate Agreement (BAA) to organizations, but only those that are using the paid version of their services. Due to the requirements to protect PHI, all healthcare organizations who are looking to use Office 365 products, Sharepoint, or Azure in any way that could interact with ePHI, must sign a BAA with Microsoft and therefore must be on an upgraded paid account of the service.
Unfortunately for organizations underneath HIPAA, simply signing a BAA with Microsoft does not guarantee that all ePHI will be kept entirely secure in all ways through these products. Microsoft offers just one BAA version and will not modify that for any client, so be sure to fully review the document in order to determine if this contract will fit your needs. Plus, as with any company, you may work with even with a BAA in place, you are still responsible for checking safeguards and ensuring that you are utilizing the software in a HIPAA compliant manner.
Let’s quickly discuss the actions or pieces of information that Microsoft’s BAA does and does not claim liability over. Be attentive to these exceptions because due to their lack of responsibility for these items in the contract, any organization that chooses to work with them must either be sure to not use PHI in these manners or choose a different set of applications with a more comprehensive BAA.
Services Covered by the BAA
Microsoft has created a clear list of which of their cloud services are covered by the standard BAA that they offer to eligible clients. That list can be found here under the “Microsoft in-scope cloud services” heading. All data that is stored or uploaded onto a Microsoft server is fully encrypted in place but also with end-to-end encryption when it is shared with any other party.
HIPAA requires that all organizations under it utilize access management where they can view who is able to access what information and then they can track users as they do interact with PHI. Luckily, Microsoft is capable of creating these access logs for their software with a request.
Exceptions of the BAA
As mentioned above, Microsoft’s BAA does encrypt PHI data at rest and on the move, however, that does not cover every last detail. Microsoft does not encrypt and the BAA does not cover email subject lines, file names, and message headers. Since these locations of information are not included in the level of protection of the BAA, the responsibility falls on your organization to be sure that PHI is never contained in any of these locations that are not covered.
Your side of the deal
Since BAAs are bilateral agreements between two organizations that then share responsibility over and liability for protected health information that is accessed or transmitted between the two parties. We’ve discussed what Microsoft has agreed to encrypt and cover on their end based on their non-editable BAA. However, this dual-sided agreement does lay out certain expectations and checks that you as the other party are responsible for. Here are the details on your end of the bargain:
- You are responsible for setting up and regularly checking access controls to any physical or electronic location where PHI can be accessed by employees.
- All employees should be trained on the best practices for utilizing Office 365 products in a HIPAA compliant manner so that PHI is kept secure.
- If Outlook is one of the applications that you are utilizing, then there are a few extra steps that you need to take to become HIPAA compliant.
- Monitor usage of PHI to avoid placing that information within any of the exceptions (email subject lines, file names, and message headers)
Just because you have ensured that your Office 365 usage is compliant or just because your employees are trained yearly, does not mean that your entire organization is HIPAA compliant. If you are unsure of whether you meet the compliance standards, feel free to utilize our free risk assessment in order to determine potential spots of weakness in your organization’s compliance. And as always, feel free to schedule a call with one of our compliance specialists today!