Is Microsoft Outlook HIPAA Compliant?
To understand the answer to the question of “Is Microsoft Outlook HIPAA Compliant?”, the various forms of Microsoft Office must be addressed. That is, the question of “Is Microsoft Outlook HIPAA Compliant?” depends upon which Microsoft Outlook is being used. Outlook exists in several forms:
- Outlook.com
- Outlook that is part of Office 365
- Outlook installed on a user’s computer
Is Outlook.com HIPAA Compliant?
Outlook.com is Microsoft’s successor product to hotmail.com. Individuals can sign up for free outlook.com email accounts, and then use this online product to check their email.
Outlook.com is not configured to securely handle PHI (protected health information) or ePHI (electronic protected health information, which is PHI that is created, stored, transmitted, or received in any electronic format or media).
In addition, Microsoft does not sign business associate agreements for users of Outlook.com.
HIPAA business associates are those entities that provide services to a covered entity and that come into contact with the covered entity’s PHI or ePHI. Covered entities may not conduct business with business associates unless these parties first enter into a business associate agreement that outlines how the business associate will protect that PHI or ePHI; and how the business associate will prevent PHI disclosure.
Since Microsoft will not enter into a business agreement for outlook.com, covered entities must look elsewhere for a suitable business associate.
Is Outlook that is Part of Office 365 HIPAA Compliant?
Outlook is part of the Office 365 suite of services. Individuals who have a subscription to Office 365 therefore automatically have a web-based version of Outlook that can be used to check email. Since this email is in a user’s browser, and since the user is using a paid version of Office365, Outlook in this instance is HIPAA compliant – assumes that Office 365 has been properly configured.
The following steps should be taken to configure Office 365 for HIPAA Compliance:
- Initially, the computer itself must be rendered HIPAA compliant.
- Next, the connection between the computer and Office 365 should be checked, and rendered encrypted (if it is not already).
- Outlook should be configured to be HIPAA compliant. Very generally speaking, this configuration requires:
- Enterprise-level encryption
- Microsoft Exchange Online Protection
- Data loss prevention measures (DLP)
- The ability to wipe data on mobile devices
- Proper configuration of access controls
- Single sign on and two factor authentication are enabled
- Data backups
- Staff receive training on the use of email for communicating ePHI