Office 365 HIPAA Privacy and Security Controls
Office 365 HIPAA compliance is dependent on how it is used. Microsoft implements end-to-end encryption for data stored or uploaded to servers and data transferred beyond its servers. However, the names of files, subject lines of emails, and message headers are not encrypted. Therefore, to use Office 365 in a HIPAA compliant manner, organizations must ensure that PHI is not contained in these areas.
In addition, HIPAA requires that healthcare organizations implement access management. Access management allows administrators to limit data access by designating employee access levels based on their job roles. By implementing access controls, you can track which employees access what data and how frequently they access it, referred to as audit logs. Office 365 is capable of creating audit logs that are available upon request.
Another requirement of HIPAA is keeping offsite data backups to prevent data loss in the event of a breach or other incident. Microsoft also recommends in their Services Agreement that users implement data backup, stating, “We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
Lastly, Microsoft requires 2-factor authentication (2FA) to be enabled to further protect data from being accessed by unauthorized individuals. Without 2FA being enabled, you will not be cover