Learn How to Get Your Microsoft Business Associate Agreement Here

Microsoft’s BAA covers Office 365, SharePoint, Azure, and Microsoft Dynamics CRM Online. They state on their site, “Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services. The Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA. The HIPAA Business Associate Agreement is also available for in-scope Microsoft Professional Services upon request. Contact your Microsoft services representative for more information.” Microsoft will not sign a third-party BAA, and does not claim responsibility if the end user does not use their service in a HIPAA compliant manner.

When signing a Microsoft BAA, it is important to establish an administrative contact. This ensures that if Microsoft were to experience a breach, the healthcare organization would be informed of the breach.

You can access Microsoft’s BAA here.

Office 365 HIPAA Privacy and Security Controls

Office 365 HIPAA compliance is dependent on how it is used. Microsoft implements end-to-end encryption for data stored or uploaded to servers, as well as data transferred beyond its’ servers. However, the names of files, subject line of emails, and message headers are not encrypted. Therefore, to use Office 365 in a HIPAA compliant manner, organizations must ensure that PHI is not contained in these areas. 

In addition, HIPAA requires that healthcare organizations implement access management. Access management allows administrators to limit data access by designating employees access levels based on their job role. By implementing access controls, you can track which employees access what data, and how frequently they access it, referred to as audit logs. Office 365 is capable of creating audit logs that are available upon request.

Another requirement of HIPAA is keeping offsite data backups to prevent data loss in the event of a breach, or other incident that has the potential to damage your onsite data storage. Microsoft also recommends in their Services Agreement that users implement data backup stating, “We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

Lastly, Microsoft requires 2-factor authentication (2FA) to be enabled to further protect data from being accessed by unauthorized individuals. Without 2FA being enabled, you will not be covered by Microsoft’s BAA. 2FA requires users to input a username and password in combination with another form of identification, such as a one-time PIN or security question, to access data. 

Need Assistance with HIPAA Compliance?

Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our Compliance Coaches™ will guide you through our implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance.