Is Microsoft Teams HIPPA compliant?

Microsoft products are used globally, but healthcare providers must ensure that their use of Microsoft Teams is HIPAA compliant.

The recent shift to remote working has been a boon for online communications platforms, which are now used across a wide range of industries. During the recent COVID-19 pandemic, Microsoft Teams saw a surge in its user base, even offering extended free trials including its premium features to attract more users. The platform facilitates file sharing, messaging services, and group videoconferencing that can host thousands of participants. It also integrates seamlessly with other Microsoft products. However, healthcare settings pose unique challenges, particularly in terms of HIPAA compliance. 

Other Microsoft products (including those in the Office 365 suite) can be HIPAA compliant if used in a specific way. The main requirement for compliance is that there are sufficient security features that maintain the integrity and privacy of electronic protected health information (ePHI). Microsoft Teams does have a number of safety features, such as single sign-on and two-factor authentication, the maintenance of audit logs, and access controls that can allow administrators to remove licenses from individual users. Additionally, all data are encrypted at rest and in transit, and are stored on secure servers in North America. 

According to Microsoft’s own website, Microsoft Teams is included in its own “Tier-D” compliance category, which means that the product is ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, HIPAA, and EU Model Clauses (EUMC) compliant by default. Any product in the Tier D category has also passed the HITRUST CSF Assurance Program Assessment. This greatly simplifies the utilisation of Microsoft Teams in a HIPAA-compliant manner for its users. 

However, to be fully HIPAA compliant, before it is used to transfer or store ePHI, any HIPAA Covered Entity (CE) must enter a business associate agreement (BAA) with Microsoft that covers the Microsoft Teams product. Microsoft has been willing to sign BAA with its clients. With this in mind, we can say that if used correctly, and if a BAA is in place, Microsoft Teams is HIPAA compliant. The responsibility to ensure that all safeguards are in place and that they are properly enacted by employees lies with the CEs. Adequate training in the HIPAA-compliant use of Teams is therefore required.