Is Office 365 HIPAA Compliant?

Yes, Microsoft Office 365 can be considered HIPAA compliant if a HIPAA-covered entity completes a business associate agreement (BAA) with Microsoft, which includes compliance considerations for Office 365 and Microsoft Dynamics CRM Online, and if the product is purchased through specific channels such as Volume Licensing Programs or the Dynamics CRM Online Portal. Microsoft does not require a separate BAA before use, as it is automatically accessible for customers with an online service contract, but covered entities should obtain a BAA before deploying Office 365 with electronic protected health information (ePHI) and provide an administrative contact for breach alerts. While there is no official HIPAA certification, Microsoft has undergone independent audits under ISO 27001, including assessments aligned with HHS recommendations, and Office 365 has been verified to have the necessary privacy and security controls to comply with HIPAA Rules. Microsoft employs encryption for data protection on its servers, has auditing measures, and offers 2-factor authentication for additional security. However, it is emphasized that compliance is not guaranteed solely by using Office 365, and covered entities have responsibilities, including proper access controls, administrator access tracking, device management, access control reports, and user training, to ensure HIPAA compliance when utilizing Microsoft Office 365.

Microsoft’s Office 365, a collection of subscription products including Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access, serves as a useful solution for various business needs. For healthcare organizations governed by HIPAA, Microsoft ensures compliance through a Business Associate Agreement (BAA) available for Office 365 and Microsoft Dynamics CRM Online, applicable when procured through designated channels like Volume Licensing Programs or the Dynamics CRM Online Portal. The BAA extends its coverage to the use of the Microsoft Azure cloud platform. Unlike services that require a separate BAA process, Microsoft has streamlined access for its customers with an online service contract, automatically providing them with the BAA. However, for HIPAA-covered entities deploying Office 365 with electronic protected health information (ePHI), obtaining a BAA beforehand is strongly recommended. Organizations are also advised to designate an administrative contact to be promptly notified in case of a security breach, demonstrating Microsoft’s proactive approach to addressing potential incidents. Despite the absence of an official certification recognized by the HHS’ Office for Civil Rights or other federal bodies, Microsoft undergoes rigorous scrutiny. Independent audits conducted under ISO 27001 evaluate security practices recommended by the HHS, affirming that Office 365 incorporates all the necessary privacy and security controls to align with HIPAA Rules.

Microsoft employs encryption to safeguard all data stored on its servers, extending the protection to any data shared beyond Microsoft facilities. However, it is important to note that while data is secured, packet headers and message headers are not encrypted. To further improve the security of electronic communications, it is advised that ePHI is not included in the subject line of emails, file names attached to emails, or in the to and from fields of emails. Following these precautions ensures the safe utilization of email within the Office 365 environment. Meeting the stringent requirements of HIPAA auditing, Microsoft Office 365 maintains logs of access to stored data. Organizations can request detailed reports on access logs from Microsoft, providing transparency and accountability. Microsoft also incorporates 2-factor authentication for Office 365 and Outlook email accounts. This additional layer of security helps prevent unauthorized access in scenarios where passwords are compromised, and an unfamiliar device attempts to log into an account.

Microsoft Office 365 is therefore compliant, provided a HIPAA-covered entity has completed a business associate agreement with Microsoft. However, it must be emphasized that the utilization of Office 365, even with a BAA in place, does not guarantee compliance. Covered entities bear the responsibility of ensuring that access controls are configured appropriately, administrator access tracking is activated, Microsoft Dynamics CRM Online is disabled for unsupported devices, access control reports are regularly obtained and reviewed, and all users are educated on using Office 365 in a manner consistent with HIPAA Rules. Microsoft’s commitment to security, coupled with the proactive steps taken by covered entities, forms a robust framework for ensuring compliance within the realm of healthcare data management.

Key Points Summarized:

AspectDetails
BAA RequirementMicrosoft will sign a Business Associate Agreement (BAA) with HIPAA-covered entities for Office 365 and Microsoft Dynamics CRM Online, applicable when purchased through designated channels like Volume Licensing Programs or the Dynamics CRM Online Portal.
BAA AccessibilityBAA is automatically accessible for customers with an online service contract; however, it is recommended that covered entities obtain a BAA before deploying Office 365 with electronic protected health information (ePHI).
Administrative ContactCovered entities should provide an administrative contact for breach alerts in case of a security breach.
CertificationWhile there is no official HIPAA certification, Microsoft undergoes independent audits under ISO 27001, aligning with HHS recommendations, verifying that Office 365 has the necessary privacy and security controls for HIPAA compliance.
Security MeasuresMicrosoft employs encryption for data protection, audits access to stored data, and offers 2-factor authentication for added security.
Email SecurityIt is advised to avoid including ePHI in email subject lines, file names, or the to and from fields, ensuring safe email utilization within the Office 365 environment.
Compliance GuaranteeUtilizing Office 365, even with a BAA, does not guarantee compliance; covered entities have responsibilities, including proper access controls, administrator tracking, device management, and user training, to ensure HIPAA compliance.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA