Is Office 365 HIPAA Compliant?

Office 365 HIPAA_Laptop women typing

Is Office 365 HIPAA compliant?  A critical question, considering the worldwide usage of this program/application.  “Office”, which is created by Microsoft, holds several tools for your business. These tools include Microsoft Word, Excel, Outlook, Azure, and PowerPoint. Each of them can be used in your healthcare organization to support your staff. The real question is Office 365 HIPAA compliant for healthcare organizations?


Is Office 365 HIPAA compliant?

The short answer is yes! Microsoft Office is HIPAA compliant if you enter into a Business Associate Agreement (BAA). You must also select one person to be the point of contact in the event of an unauthorized disclosure/breach of protected Health Information (ePHI) for notification purposes.

Another part of HIPAA compliance is keeping and maintaining audit logs. These are not available in all the Microsoft plans, so you will need to make sure that you pick the right one. Who better to ask than the experts?

How can you be absolutely sure that Office 365 is HIPAA compliant? Microsoft has gone through verification and auditing to prove it is HIPAA compliant according to the HIPAA privacy and security rules. These rules and policies apply to all the electronic devices you use in your organization. Make sure your mobile devices are protected as well.
Office 365 HIPAA checklist:

  • Ensure your BAA is in place with Microsoft and other organizations to which you transmit ePHI.
  • Train your staff so they understand HIPAA compliance and how Office 365 HIPAA compliant rules affect their work and the use of ePHI.
  • Use the HIPAA Security Rule Evaluation to provide information about implementing Office 365 and its tools. This evaluation will then be included in your HIPAA Risk Analysis and Risk Management Plans. Any risks related to Office 365 and its use will be laid out here.
  • Update your internal standard operating procedures (SOP), forms, and policies to include the use, access, storage, and release of ePHI with Office 365 products as needed. This includes assigning roles to users and creating permissions for what they can and cannot do within Office 365 (e.g., creating and discontinuing accounts). Note: Guest users may need to be assigned for monitoring; make sure that the authority to create a guest user is assigned to someone.
  • Create and implement any needed administrative, technical and physical safeguards that may be required relating to the use, access, and release of ePHI with Office 365 products.
  • Create regulations for how ePHI is used, stored, and accessed, and make sure the Office 365 procedures and guidelines are readily available.
  • Implement the “minimum necessary” policy to ensure that as little information as necessary is used to identify a patient when using ePHI.
  • Use dual-factor or multi-factor authentication with mobile devices to protect ePHI and ensure HIPAA compliance.
  • Monitor the use of Office 365 to make sure HIPAA is being followed.
  • Discontinue access for employees who no longer work for your organization or whose access has been restricted.
  • Ensure ePHI is stored correctly and deleted after the allotted amount of time has passed to free up space.

Once you’ve followed all these steps, you won’t have to wonder “Is Office 365 HIPAA compliant?” again.
Final answersIs Office 365 HIPAA compliant? Yes, but with some caveats. Ensure your organization is acting within the laws of HIPAA and that your employees stay up to date on new state and federal regulations related to HIPAA and the use of Office. If you are HIPAA compliant, Office 365 can be a great tool for your organization.

Do you have to use a BAA? If you would like to stay HIPAA compliant, yes. It is recommended that you implement the BAA before any ePHI is transmitted, accessed, or stored using Microsoft Office systems. This will ensure that when your staff uses the Office 365 platform, they do so while being HIPAA compliant.
What version of Office 365 is HIPAA compliant? Implementing the most updated version of the Office 365 software to be HIPAA compliant. As far as what version is HIPAA compliant, as long as you have a BAA in place, you should be HIPAA compliant with proper use and training.
Is Office 365 email encryption HIPAA compliant? Yes, even sending ePHI through emails will be covered under the BAA. If you need to send or receive large amounts of ePHI, you may not choose this method, but it’s a great way to discuss cases and send smaller amounts of information back and forth between employees and other covered entities. Now, not all parts of Office 365 email are encrypted. The packet headers, message headers, subject lines, filenames, and “to” and “from” fields are not encrypted. As long as you are not exposing any ePHI in the aforementioned ways, then Office 365 email encryption is sufficient.
Is Microsoft Excel HIPAA compliant? Yes! Even the use of Microsoft Excel is HIPAA compliant. Many different tables and graphs can be created using the Microsoft Excel platform to categorize and organize your ePHI. As long as that BAA is in place and your employees are HIPAA compliant, you are good to go!
Is Microsoft Word HIPAA compliant? Yep, you guessed it. If you have a BAA with Microsoft, your entire suite of Office products is HIPAA compliant with proper use.

When you need proven expertise and performance