2 min read

Microsoft 365 fails HIPAA encryption standards when forcing TLS

Microsoft 365 fails HIPAA encryption standards when forcing TLS

Most healthcare organizations believe Microsoft 365 keeps their email secure. However, when we tested its encryption settings in a live environment, Microsoft sent protected health information (PHI) across the internet unencrypted.

This is a security failure, and it directly undermines HIPAA compliance.

How force TLS is supposed to work

When configured, Microsoft 365 will attempt to send email only if the recipient supports Transport Layer Security. If TLS isn’t available, most IT leaders expect the message will bounce or fail to send. That’s what many teams rely on to check the HIPAA encryption box.

What really happens in Microsoft 365

If the receiving server doesn't support the expected version of TLS, Microsoft will attempt a downgrade. If that also fails, Microsoft may send the message in cleartext. There’s no warning, no bounce, and no audit trail.

That means Protected Health Information (PHI) can be sent across the internet without encryption, and without the sender or receiver knowing.

In our controlled TLS experiment, we simulated sending messages to a server that only accepted outdated encryption protocols. Microsoft 365 did not bounce the message or block the transmission. Instead, it delivered the email in cleartext. The only way to detect this behavior was by manually inspecting the message headers.

Why this violates HIPAA

HIPAA requires that electronic PHI is protected in transit using encryption. According to the Security Rule (45 CFR §164.312(e)(1)), covered entities must implement technical security measures to guard against unauthorized access when transmitting ePHI.

That means organizations must:

  • Ensure encryption is actually in use

  • Be able to document it

  • Prevent unauthorized access during transmission

When Microsoft silently delivers messages in cleartext, none of those conditions are met. And if PHI is exposed in transit, even unknowingly, it may still be considered a breach under HIPAA.

That can lead to:

Common misconceptions about force TLS and Microsoft 365

Many IT and compliance teams rely on outdated assumptions about how Microsoft 365 handles email encryption:

  • “TLS fallback is still encryption.” Not if it fails completely, resulting in cleartext.

  • “Force TLS is HIPAA compliant.” Not without visibility, version control, or guaranteed enforcement.

  • “Microsoft would never allow insecure delivery.” It does, and provides no alert when it happens.

Why this is a hidden risk

Healthcare IT is under pressure. Budgets are tight. Teams are stretched. Force TLS seems like a simple checkbox to ensure encryption, but in reality, it opens the door to invisible, noncompliant behavior that can’t be audited until it’s too late.

Microsoft doesn’t log when fallback to cleartext occurs. There is no notification. The sender thinks encryption was used—but it wasn’t. The organization has no way to prove otherwise.

What healthcare organizations need to understand

Force TLS is not a security strategy. Microsoft’s default behavior leaves healthcare organizations exposed.

Force TLS does not equal compliance. Encryption must be verifiable and enforced. If your platform silently fails, then you're not protected.

Learn more in our report: How Microsoft and Google Put PHI at Risk

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.