Most healthcare organizations believe Microsoft 365 keeps their email secure. However, when we tested its encryption settings in a live environment, Microsoft sent protected health information (PHI) across the internet unencrypted.
This is a security failure, and it directly undermines HIPAA compliance.
When configured, Microsoft 365 will attempt to send email only if the recipient supports Transport Layer Security. If TLS isn’t available, most IT leaders expect the message will bounce or fail to send. That’s what many teams rely on to check the HIPAA encryption box.
If the receiving server doesn't support the expected version of TLS, Microsoft will attempt a downgrade. If that also fails, Microsoft may send the message in cleartext. There’s no warning, no bounce, and no audit trail.
That means Protected Health Information (PHI) can be sent across the internet without encryption, and without the sender or receiver knowing.
In our controlled TLS experiment, we simulated sending messages to a server that only accepted outdated encryption protocols. Microsoft 365 did not bounce the message or block the transmission. Instead, it delivered the email in cleartext. The only way to detect this behavior was by manually inspecting the message headers.
HIPAA requires that electronic PHI is protected in transit using encryption. According to the Security Rule (45 CFR §164.312(e)(1)), covered entities must implement technical security measures to guard against unauthorized access when transmitting ePHI.
That means organizations must:
Ensure encryption is actually in use
Be able to document it
Prevent unauthorized access during transmission
When Microsoft silently delivers messages in cleartext, none of those conditions are met. And if PHI is exposed in transit, even unknowingly, it may still be considered a breach under HIPAA.
That can lead to:
Reportable violations
Many IT and compliance teams rely on outdated assumptions about how Microsoft 365 handles email encryption:
“TLS fallback is still encryption.” Not if it fails completely, resulting in cleartext.
“Force TLS is HIPAA compliant.” Not without visibility, version control, or guaranteed enforcement.
“Microsoft would never allow insecure delivery.” It does, and provides no alert when it happens.
Healthcare IT is under pressure. Budgets are tight. Teams are stretched. Force TLS seems like a simple checkbox to ensure encryption, but in reality, it opens the door to invisible, noncompliant behavior that can’t be audited until it’s too late.
Microsoft doesn’t log when fallback to cleartext occurs. There is no notification. The sender thinks encryption was used—but it wasn’t. The organization has no way to prove otherwise.
Force TLS is not a security strategy. Microsoft’s default behavior leaves healthcare organizations exposed.
Force TLS does not equal compliance. Encryption must be verifiable and enforced. If your platform silently fails, then you're not protected.
Learn more in our report: How Microsoft and Google Put PHI at Risk