Is Microsoft Forms HIPAA Compliant

Microsoft Forms allows users to create surveys, quizzes, and polls. The results of which can be easily exported to Excel for data analysis. While Microsoft Forms can be a valuable tool to improve your healthcare business, depending on how the tool is used, you must consider its HIPAA compliance before use. Is Microsoft Forms HIPAA compliant?

When Does Microsoft Forms Need to Be HIPAA Compliant?

Microsoft Forms needs to be HIPAA compliant when healthcare organizations use the software to gather patient information. For instance, a healthcare provider may want to use the survey or poll function of Microsoft Forms to ask patients about their experience during a recent appointment or to ask patients about what additional services would be of interest to them. 

Since the healthcare provider would gather protected health information (PHI), the service they use must be HIPAA compliant. Even if the provider is not inquiring about specific details related to the patient’s treatment, seemingly benign information such as a patient’s name or contact information is considered PHI. 

The only instance in which Microsoft Forms would not be required to be HIPAA compliant is when the tool is used to gather employee or vendor information.

Is Microsoft Forms HIPAA Compliant: Business Associate Agreements

A critical factor in determining a software tool’s HIPAA compliance is their ability to sign a business associate agreement (BAA) with their users. Microsoft Forms falls under the Office 365 umbrella. Upon request, Microsoft Office 365 products offer users BAAs, stating on their website, “Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services. The Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum. Contact your Microsoft services representative for more information.”

To use Microsoft Forms in compliance with HIPAA, organizations must have a signed BAA with Microsoft prior to using their service to gather patient information.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Office 365 HIPAA Privacy and Security Controls

Office 365 HIPAA compliance is dependent on how it is used. Microsoft implements end-to-end encryption for data stored or uploaded to servers and data transferred beyond its servers. However, the names of files, subject lines of emails, and message headers are not encrypted. Therefore, to use Office 365 in a HIPAA compliant manner, organizations must ensure that PHI is not contained in these areas. 

In addition, HIPAA requires that healthcare organizations implement access management. Access management allows administrators to limit data access by designating employee access levels based on their job roles. By implementing access controls, you can track which employees access what data and how frequently they access it, referred to as audit logs. Office 365 is capable of creating audit logs that are available upon request.

Another requirement of HIPAA is keeping offsite data backups to prevent data loss in the event of a breach or other incident. Microsoft also recommends in their Services Agreement that users implement data backup, stating, “We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

Lastly, Microsoft requires 2-factor authentication (2FA) to be enabled to further protect data from being accessed by unauthorized individuals. Without 2FA being enabled, you will not be cover