Does Office 365 Comply With the HIPAA and HiTECH Act Rules?

Office 365 is Microsoft’s set of subscription products that includes the following programs: Word, Excel, OneNote, PowerPoint, Outlook, Access and Publisher.  Can healthcare organizations use Office 365 without violating the HIPAA and HiTECH Act Rules?

If HIPAA covered entities purchase Office 365 through the Volume Licensing Programs or the Dynamics CRM Online Portal, Microsoft is ready to enter into a business associate agreement (BAA). Though the BAA is not necessary prior to using Office 365, Microsoft automatically makes it available to customers that have an online service contract. HIPAA covered entities need to get a BAA before using electronic protected health information (ePHI) with Office 365.  An administrative contact must be specified in the BAA. He will be contacted by Microsoft in case a security breach occurs. 

Some companies claim that they are HIPAA certified but the HHS’ Office for Civil Rights or other federal agencies do not recognize any certification. Microsoft does not claim to be HIPAA certified but it has been certified by independent audits such as the ISO 27001, which includes assessments of security practices that HHS recommends.

Office 365 is considered compliant with HIPAA Rules knowing that it possesses the following required privacy and security controls:

  • Data encryption – all data uploaded to Microsoft servers or transferred from Microsoft facilities are encrypted except the packet headers and message headers. By not using ePHI in the subject line of emails, on the names of attached files, or in the to and from fields of emails, it is quite secure to use emails.
  • Access Logs – Microsoft Office 365 maintains access logs to stored data hence meeting HIPAA auditing requirements. Microsoft can provide the reports on access logs upon request.
  • Two-factor user authentication – Microsoft implements two-factor authentication when accessing Office 365 and Outlook email accounts. This is to prevent compromising the accounts when somebody or an unfamiliar device tries to log-in.

So, to answer the question ‘Is Microsoft Office 365 HIPAA compliant?’ It can be considered compliant as long the the HIPAA covered entity has a business associate agreement with Microsoft. Office 365 offers all the privacy and security controls necessary to ensure HIPAA and HiTECH Act compliance. However,  the covered entity is responsible to configure and use Office 365 in a  manner compliant with the rules. Administrator access tracking must be turned on and access control reports must be monitored regularly. There must be training for users to ensure the use of Office 365 is compliant with HIPAA Rules.