We originally wrote about Hotmail and its ability to provide HIPAA compliant email in 2015.
In our initial review, we found that Hotmail was not HIPAA compliant and should be avoided by healthcare professionals. Now that it's 2023, we'll revisit the question: Is Hotmail HIPAA compliant?
Hotmail was founded in 1996 as one of the world’s first free webmail services. It was acquired by Microsoft in 1997 and was soon rebranded as MSN Hotmail.
In 2013, Hotmail was replaced with Outlook.com, which features Microsoft’s Metro design language, and closely mimicked the interface of Microsoft Outlook. It should be noted that outlook.com is not the same product as Microsoft 365.
See related: Is Microsoft 365 HIPAA compliant?
Hotmail and the business associate agreement
There’s a primary item to consider when it comes to Hotmail and its ability to provide a HIPAA compliant email service.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Hotmail, the service would certainly fall into the category of business associate if it's servicing customers that would store, process, or transmit PHI on its email platform.
We checked Microsoft's site and found a page called, Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act. The page outlines each Microsoft product that is considered in scope for the Microsoft BAA. Hotmail was not listed anywhere on the page.
Does Hotmail offer HIPAA compliant service?
The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a covered entity and a business associate.
In regards to being considered a HIPAA compliant email solution, we were able to learn the following about Hotmail and its parent company Microsoft:
- Microsoft 365 can be HIPAA compliant and is considered in scope by the Microsoft BAA
- Hotmail however, is not covered by the Microsoft BAA
Conclusion: As we originally concluded in 2015, Hotmail remains not HIPAA compliant. It should be avoided by covered entities and business associates.