Is Office 365 Email Hipaa Compliant

Get A Baa With Microsoft

HIPAA Encrypted Email & Office 365

HIPAA regulations cover not only the companies responsible for providing health care and processing claims , but also their business associates . This means that business associates can be liable for compromised ePHI, but so can the provider using the business associates services if they did not conduct due diligence. To ensure HIPAA compliance and consistency on all sides, providers should have a business associate agreement in place with their business associates.

The requirements for a BAA are set forth in the HIPAA Security Rule, and include:

  • How the business associate is allowed to use the ePHI
  • A provision forbidding the business associate from using or disclosing ePHI in a manner not permitted in the BAA
  • Required safeguards the business associate must use to prevent unauthorized use or disclosure of the ePHI

Luckily, if youre going to use a Microsoft service to handle ePHI, Microsoft cloud services covered under BAAs have been audited for the Microsoft ISO/IEC 27001 certification. Microsoft already has a standard HIPAA Business Associate Agreement that can be applied to most business associate relationships as well.

Microsoft 365 And Hipaa Compliance Faq

Are there any HIPAA concerns with using Office 365?

As long as you carefully review Microsofts BAA and understand the scope of its security and compliance protections, confirm that those protections meet your HIPAA compliance needs, and have all required security controls on your end, you should have few if any concerns about HIPAA compliance.

Office 365s HIPAA protections are robust, but ultimately, compliance is your responsibility as the HIPAA covered entity.

Which Microsoft Office 365 plan is HIPAA compliant?

Microsoft offers its HIPAA compliance BAA to users of Office 365 Business, Office 365 US Government, and Office 365 US Government Defense. However, lower-level licenses of these services may not have all of the advanced security features youll want to use to maintain your compliance.

Microsoft recommends that users seeking HIPAA compliance enable top-level security protections. Some of these protections, including anti-phishing threat explorers and data loss prevention, are only available for holders of higher-tier Enterprise licenses.

Does having a BAA with Microsoft guarantee compliance with HIPAA and the HITECH Act?

No, a BAA doesnt guarantee compliance. The BAAs purpose is to clarify what compliance requirements are the responsibility of the HIPAA business associate. For example, if there is a breach in your Microsoft Office 365 account, Microsoft will notify you that it has occurred.

The Hipaa Omnibus Bill Of 2013

Since HIPAA law was established in 1996, technology has dramatically evolved. With the recognition that email and data transmission are primary forms of doing business, the HIPAA Omnibus Bill became an addendum to HIPAA law in 2013. This bill gives healthcare consumers freedom to receive their personal health information if they understand and acknowledge the risks associated with unencrypted forms of communication. If a healthcare entity gets consent to communicate outside of the original HIPAA standards set forth in the law, the healthcare entity is not held responsible if there is a breach once the information is transmitted to the consumers unsecure email.

You May Like: How To Put An Image In Your Email Signature

Does Microsoft 365 Offer Hipaa Compliant Service

The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. Since Microsoft 365 offers one, we conclude it can be a HIPAA compliant email solution.

Make sure you sign a BAA with Microsoft before using Microsoft 365 to store or transmit any protected health information .

Rmail: Encryption And Security

How to maintain HIPAA compliance with Microsoft Office 365 ...

This HIPAA compliant email encryption service provides true direct delivery of your encrypted message and attachments into your recipients inbox without requiring any extra links. That means recipients wont need to register for an account, open a web browser, or otherwise leave their inbox to access messages. RMail offers an automatic encryption mode. All encrypted messages are sent by TLS automatically when TLS is detected and supported by both sender and recipient mail servers. Otherwise, RMail encrypts and delivers messages and attachments directly into the recipients inbox . There is no need to retrieve it from an outside server or website. With options for secure end-to-end delivery, you can be sure that your email message will only be read by its intended recipient. There are several delivery configurations available.

Recommended Reading: How To Block An Email Address In Gmail

Microsoft 365 And The Business Associate Agreement

Weve previously talked about how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.

We checked the Microsoft Azure Trust Center and found a page called HIPAA and the HITECH Act.

In it, Microsoft wisely points out:

Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.

We also found on that page that several versions of Microsoft 365 are covered by Microsofts BAA. Those versions are:

  • Microsoft 365
  • Microsoft 365 U.S. Government Defense

Egress: Encryption And Security

Egress appoints a Technical Account Manager for mid-size businesses that can help with specific security needs, like HIPAA compliance. Clients can discuss requirements and implement Egress in cloud-hosted, fully on-premise, or hybrid setups according to exact specifications.

This HIPAA compliant email encryption service secures data at rest and in transit using AES-256 bit encryption, providing end-to-end, message-level encryption. Users can also enable extra controls, like forced multi-factor authentication. When you send an encrypted email with Egress, you can revoke recipient access or prevent recipient actions, such as downloading, printing, screen-shotting or copy/paste.

Multi-factor authentication can be enabled, and customizable policy controls allow further security enhancements for when sensitive data is being shared. Users can also send large files securely, bypassing file size restrictions. Automated Data Loss Protection policies can recommend or force encryption based on keywords found within the email or attachments.

Read Also: How To Delete All Your Emails On Gmail

Ways To Achieve The Office 365 Hippa Compliance Email

Employee guidance is an essential step for implementing any technology or compliance. It is crucial that users have an idea about what is constitutes ePHI, its uses, sharing methods and how to view it. For Office 365, Microsoft offers a list of mediums that ePHI should be considered securely:

  • Information of a SharePoint file
  • Lync presentation files body
  • Voice conversations or IM
  • The body of every email
  • Email attachments
  • URLs or public SharePoint sites
  • Account, billing, service data
  • User global address list

Time to Wrap Up

Most healthcare companies are searching the ways to protect their health information with HIPPA compliance. Thus, Microsoft offers HIPAA Compliance in Office 365. However, users must aware from the full use and administration of this service. Consequently, for introducing users to Office 365 HIPAA Compliance, its Configuration, Encryption, and Uses, we have come up with this blog. This article consists all the necessary information about the same.

About The Author


A versatile technophile, blogger, and editor with over 7 years of experience to resolve the issues encounter by the users while working on various platforms. Also, provides an easy solution related to Windows, Mac, MS Outlook, MS Exchange Server, Office 365, and many other services and technologies.

Office 365 Hipaa Compliance Is Completely Transparent

Gary Powell: Microsoft Office 365 HIPAA compliant calendar invites through Paubox

Like other cloud security providers, Microsoft has layers and layers of inside and outside auditors measuring their compliance and IT security measures. You can take a detailed look into their compliance norms by downloading this pdf.

Microsoft has done an amazing job giving customers visibility into the results of these audits to prove that Microsoft365 is HIPAA-compliant.

Here is a step-by-step guide on how you can set up your console.

In their admin console, you enter your location and industry:

Microsoft automatically shows you compliance reports relevant to your location and industry.

We cant show you the details because theyre covered under NDA, but these two will give you an idea.

  • Status of Audited Controls

See exactly which IT security controls were audited, and whether they passed or failed:

Recommended Reading: How Can A Retailer Track A Shopper’s Email Address

When Email Can Unknowingly Transmit Phi

Take this real-life example: Individuals who are responsible for purchasing their own health insurance can go online and buy a major medical insurance policy during the open enrollment period each year. When their application is complete and they purchase the policy, it is common for an automatic email to be generated, usually in an email template format, confirming the purchase and submission.

The new health insurance policyholder could possibly receive this email from the website where the health insurance was purchased, the health insurance company they bought the policy through or both.

In this case, the company should only use email to communicate the submission for insurance was received, and provide account setup instructions to a secure portal for the insurance purchaser to download their documents from.

Learn How To Get Your Microsoft Business Associate Agreement Here

Microsofts BAA covers Office 365, SharePoint, Azure, and Microsoft Dynamics CRM Online. They state on their site, Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services. The Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA. The HIPAA Business Associate Agreement is also available for in-scope Microsoft Professional Services upon request. Contact your Microsoft services representative for more information. Microsoft will not sign a third-party BAA, and does not claim responsibility if the end user does not use their service in a HIPAA compliant manner.

When signing a Microsoft BAA, it is important to establish an administrative contact. This ensures that if Microsoft were to experience a breach, the healthcare organization would be informed of the breach.

You can access Microsofts BAA here.

Read Also: What Does Cc Mean When Sending An Email

Office 365 Or Google Docs For Hipaa Compliance

Organizations that handle healthcare data, whether they are covered entities or their business associates, must meet the requirements of the Health Insurance Portability and Accountability Act of 1996 . HIPAA and HITECH are US federal laws that created regulations related to how sensitive personal health data is used and disclosed . It is necessary for doctors, hospitals, health insurers, and other healthcare organizations to meet the stipulations within these laws and to have the responsibilities within the relationship defined by a business associate agreement . The BAA contract is important because it clarifies all aspects of data creation, storage, receipt, and transmission so that accountability is possible for all privacy and security concerns.

But within these requirements, covered entities will likely be using some sort of word processing or document creation software suite, such as Office 365 or G Suite. Which one is better suited to maintaining HIPAA compliance according to the standards above?

This article looks at two perspectives, one advocating each of the two systems, before going through the specifics and process for implementation of each environment.

What Is Hipaa Compliant Email

office 365 hipaa dlp policy

HIPAA compliant email is an email service that meets minimal HIPAA requirements for the security and privacy of electronic Personal Health Information . HIPAA compliance for emails includes all the requirements that other technologies have regarding this data, including:

  • Restricting access to ePHI at rest or in transit
  • Monitoring and protecting ePHI at rest or in transit
  • Ensuring ePHI integrity and accountability at rest or in transit
  • Email is a unique technology regarding security because emails are involved, by their very nature, in both storage and transmission. People send emails, and servers and applications store emails.

    With that said, there are several parties involved in the management of emails that must consider rules and regulations: senders and receivers, and third-party email vendors.

    Also Check: How Do I Delete My Email Account

    Office 365 Applicability And In

    Use the following table to determine applicability for your Office 365 services and subscription:

    ApplicabilityIn-scope services
    CommercialAccess Online, Azure Active Directory, Azure Communications Service, Compliance Manager, Customer Lockbox, Delve, Exchange Online, Forms, Griffin, Identity Manager, Lockbox , Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Customer Portal, Office 365 Microservices , Office 365 Security & Compliance Center, Office Online, Office Pro Plus, Office Services Infrastructure, OneDrive for Business, Planner, PowerApps, Power BI, Project Online, Service Encryption with Customer Key, SharePoint Online, Skype for Business, Stream
    GCCAzure Active Directory, Azure Communications Service, Compliance Manager, Delve, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, Stream

    Vital Steps To Remain Hipaa

    Microsoft Office 365 is an incredibly useful suite of tools that can be used by health providers, insurance companies, and their business associates alike to store, transfer, and manage patient files. However, the HIPAA Security and Privacy Rules, along with HITECH regulations, introduced very strict requirements to safeguard patients electronic protected health information . Implementing 365 without considering these requirements is a recipe for disaster.

    With that in mind, here are four important points that cannot be overlooked to ensure your use of Office 365 keeps you in line with HIPAA requirements.

    Read Also: Can You Recover An Old Email Account

    Office 3: Is It Hipaa Compliant

    Microsoft Office 365 is a productivity suite of tools we all know and love. With the help of O365, all businesses not just healthcare providers have been able to transform the way they take on and complete administrative tasks, and this has benefited the business time and time again. So, its no wonder that O365 has become an essential aspect of almost every business.

    In the healthcare industry, Office 365 has made a lot of difference. It has helped them to work more efficiently and streamline their business processes. Many healthcare providers use it for communication purposes, and it can also make collaboration among different departments easier. But the question remains: is Office 365 HIPAA compliant?

    Mailhippo: Encryption And Security

    HIPPA Compliance & Office 365

    MailHippo uses end-to-end encryption to ensure that your emails are secure in transit and at rest. The body of the message and attachments are encrypted using 256-bit encryption, and all records are encrypted and stored on the secure MailHippo platform.

    The company also keeps track of all access to messages sent using its platform, including the time, date, authorized user, their IP address, and which records they accessed.

    Read Also: How To Recover An Old Email Account From Google

    Popular Articles

    Related Stories

    Stay on top - Get the daily news in your inbox