Is Office 365 HIPAA Compliant?

The adoption of Microsoft Office 365 is widespread. Tools such as Excel, Word, PowerPoint, OneNote, Publisher, Access, and Outlook, continue to be the leading solutions businesses use. As a healthcare organization, or a vendor that services healthcare clients, it is imperative to ensure that the tools used to conduct business are HIPAA compliant. That begs the question, is Office 365 HIPAA compliant? 

Office 365 HIPAA Compliant

Is Office 365 HIPAA Compliant?

Yes, with a signed BAA and proper usage, Office 365 is HIPAA compliant. It is the responsibility of the covered entity to ensure that a BAA is signed before Office 365 can be used to transmit, store, or maintain PHI. CEs are also responsible for checking access controls to confirm that they are configured correctly to safeguard PHI, administrative tracking is switched on, and employees are trained to use Office 365 in accordance with HIPAA standards. Additionally Microsoft Dynamics CRM Online must be turned off for devices that access PHI.

Office 365 HIPAA Business Associate Agreement

Healthcare organizations wishing to use Office 365 in conjunction with protected health information (PHI), must first secure a business associate agreement (BAA). Microsoft offers a BAA for organizations using their paid service. 

Learn How to Get Your Microsoft Business Associate Agreement Here

Microsoft’s BAA covers Office 365, SharePoint, Azure, and Microsoft Dynamics CRM Online. They state on their site, “Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services. The Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA. The HIPAA Business Associate Agreement is also available for in-scope Microsoft Professional Services upon request. Contact your Microsoft services representative for more information.” Microsoft will not sign a third-party BAA, and does not claim responsibility if the end user does not use their service in a HIPAA compliant manner.

When signing a Microsoft BAA, it is important to establish an administrative contact. This ensures that if Microsoft were to experience a breach, the healthcare organization would be informed of the breach.

You can access Microsoft’s BAA here.

Office 365 HIPAA Privacy and Security Controls

Office 365 HIPAA compliance is dependent on how it is used. Microsoft implements end-to-end encryption for data stored or uploaded to servers, as well as data transferred beyond its’ servers. However, the names of files, subject line of emails, and message headers are not encrypted. Therefore, to use Office 365 in a HIPAA compliant manner, organizations must ensure that PHI is not contained in these areas. 

In addition, HIPAA requires that healthcare organizations implement access management. Access management allows administrators to limit data access by designating employees access levels based on their job role. By implementing access controls, you can track which employees access what data, and how frequently they access it, referred to as audit logs. Office 365 is capable of creating audit logs that are available upon request.

Another requirement of HIPAA is keeping offsite data backups to prevent data loss in the event of a breach, or other incident that has the potential to damage your onsite data storage. Microsoft also recommends in their Services Agreement that users implement data backup stating, “We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

Lastly, Microsoft requires 2-factor authentication (2FA) to be enabled to further protect data from being accessed by unauthorized individuals. Without 2FA being enabled, you will not be covered by Microsoft’s BAA. 2FA requires users to input a username and password in combination with another form of identification, such as a one-time PIN or security question, to access data. 

Need Assistance with HIPAA Compliance?

Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our Compliance Coaches™ will guide you through our implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance. 


Complete Compliance Solution

Make sure your business and the tools you use to run it are compliant.

Global CTAs Image