The topic of HIPAA compliance is vast and complex – and changing every day. The bulk of patient information is moving out of file cabinets and online into the cloud. As medical practices rely more and more on new technology, it is imperative that they keep the HIPAA regulations at front of mind.

Each new application integrated into office procedures should be examined to determine if it meets the stringent requirements of HIPAA, in order to protect against inadvertent HIPAA violations and fees.

The Microsoft suite of products is prolific in nearly every office environment these days, but does it measure up to HIPAA standards? Let’s begin with a brief review of Office 365 as it pertains to healthcare.

What is Office 365?

Office 365 is a suite of subscription products developed by Microsoft which includes such familiar products as Word, Outlook, Excel, PowerPoint, Publisher, OneNote, and Access.

Office 365 for Medical Practices and Healthcare Organizations

A Business Associate Agreement (BAA) is automatically included as a part of all online service contracts, but Microsoft does not require it to be implemented for general use.

However, HIPAA covered entities should obtain a BAA from Microsoft before utilizing Office 365 as it relates to electronic protected health information (ePHI).  The onus is on the healthcare organization to properly execute the agreement.  In the BAA, an administrative contact must be named, and it is this contact who will be notified by Microsoft in the event of a security breach or malicious attack.  It is imperative, therefore, that the contact is updated immediately should the named administrator leave the organization, in order to ensure prompt notification of a breach.

Is Microsoft Office 365 HIPAA Compliant?

Here are some important facts regarding Microsoft 365 and HIPAA compliance.

  • Microsoft has undergone independent audits under ISO 27001, and Office 365 has been verified as having all necessary privacy and security controls to comply with HIPAA Rules.
  • The BAA is a key component to HIPAA compliance. Once the agreement is put in place with Microsoft, Office 365 is deemed a HIPAA compliant email solution and can be used within HIPAA regulations.
  • Appropriate privacy and security controls have been incorporated by Microsoft to ensure that Office 365 will remain compliant with HIPAA. However, the use of Office 365 does not guarantee your organization’s compliance.
  • It is the responsibility of covered entities (medical practices) to ensure all users are trained on how to use Office 365 in a manner compliant with HIPAA Rules.

How Microsoft Protects Your Data & Ensures Compliance

  • All data uploaded to or stored on Microsoft servers is protected by encryption. Any data transferred outside of Microsoft facilities is similarly encrypted. (packet headers and message headers are not encrypted)
  • Microsoft Office 365 meets HIPAA auditing requirements by keeping logs of access to any stored data. Reports on access logs can be obtained from Microsoft on request.
  • Microsoft provides 2-factor authentication to prevent Office 365 and Outlook email accounts from being accessed if a password is compromised, or an unfamiliar device attempts to log into an account.

The HIPAA rules are in place to ensure that customer confidential data and records are kept secure. While Microsoft Office 365 is verified as HIPAA compliant, it is ultimately the responsibility of the healthcare organization to follow all procedures properly.

Ongoing training in your practice is recommended, to ensure that all employees and staff understand not only the proper way to interact with customer data and technology but the serious ramifications if there is a violation.

Alliance IT offers managed services, cloud-based services, and project management teams that can take the worry out of your HIPAA compliance efforts.

We are happy to discuss all of your data security needs and to help your Sarasota or Bradenton healthcare organization to thrive and grow along with the ever-changing technology landscape.