Is Office 365 HIPAA Compliant?

The adoption of Microsoft Office 365 is widespread. Tools such as Excel, Word, PowerPoint, OneNote, Publisher, Access, and Outlook, continue to be the leading solutions businesses use. As a healthcare organization, or a vendor that services healthcare clients, it is imperative to ensure that the tools used to conduct business are HIPAA compliant. That begs the question, is Office 365 HIPAA compliant? 

Office 365 HIPAA Compliant

Is Office 365 HIPAA Compliant?

Yes, with a signed BAA and proper usage, Office 365 is HIPAA compliant. It is the responsibility of the covered entity to ensure that a BAA is signed before Office 365 can be used to transmit, store, or maintain PHI. CEs are also responsible for checking access controls to confirm that they are configured correctly to safeguard PHI, administrative tracking is switched on, and employees are trained to use Office 365 in accordance with HIPAA standards. Additionally Microsoft Dynamics CRM Online must be turned off for devices that access PHI.

Office 365 HIPAA Business Associate Agreement

Healthcare organizations wishing to use Office 365 in conjunction with protected health information (PHI), must first secure a business associate agreement (BAA). Microsoft offers a BAA for organizations using their paid service. 

Need help with Business Associate Agreements? Let us assist!

Learn How to Get Your Microsoft Business Associate Agreement Here

Microsoft’s BAA covers Office 365, SharePoint, and Azure. Organizations using Microsoft Dynamics CRM Online must purchase a BAA through the online portal or Volume Licensing Programs. When signing a Microsoft BAA, it is important to establish an administrative contact. This ensures that if Microsoft were to experience a breach, the healthcare organization would be informed of the breach.

Office 365 HIPAA Privacy and Security Controls

Office 365 HIPAA compliance is dependent on how it is used. Microsoft implements end-to-end encryption for data stored or uploaded to servers, as well as data transferred beyond its’ servers. However, the names of files, subject line of emails, and message headers are not encrypted. Therefore, to use Office 365 in a HIPAA compliant manner, organizations must ensure that PHI is not contained in these areas. 

In addition, HIPAA requires that healthcare organizations implement access management. Access management controls who is able to view what information and tracks access to sensitive information. Office 365 is capable of creating access logs that are available upon request. 

Lastly, Microsoft enables 2-factor authentication to further protect access from unauthorized individuals. 2-factor authentication uses a password in combination with another form of identification, such as a one-time PIN or security question. 

Need Assistance with HIPAA Compliance? 

Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our expert Compliance Coaches™ will guide you through our six stage implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance. 


HIPAA Compliance Software

Learn How Simple Compliance Can Be

Get Compliant Today!