This week we got asked about Microsoft Exchange and an organization’s ability to use in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Adobe Campaign
- Amazon Alexa
- Amazon CloudFront
- Apple iCloud
- Apple iMessage
- Citrix ShareFile
- Constant Contact
- Google Analytics
- Google Calendar
- Google Docs
- Google Drive
- Google Forms
- Google Hangouts
- Google Hangouts Chat
- Google Slides
- Google Voice
- Microsoft Teams
- Office 365
- Return Path
- Uber Health
Today, we will determine if Microsoft Exchange offers HIPAA compliant service or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
Microsoft Exchange is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.
The first version of Exchange Server was Exchange Server 4.0. The current version is Exchange Server 2019.
Microsoft is well-known for having confusing marketing language and Exchange is no exception.
In a nutshell, the original Microsoft Exchange server solution was designed to be installed on-premise (On-prem). In U.S. Healthcare, it’s no secret that on-prem Exchange servers remain prevalent.
Microsoft however, is also marketing Exchange Online, which is essentially Exchange in the cloud. To add to the confusion, Exchange Online is also bundled into Office 365.
For the purposes of this post, we will focus on the on-prem version of Microsoft Exchange Server.
Microsoft Exchange and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
We’ve also previously covered that for its cloud offerings, the Microsoft Trust Center has a page called HIPAA and the HITECH Act. It outlines the cloud services covered by the Microsoft Business Associate Agreement (BAA).
Since the scope of this post is on-prem Microsoft Exchange, data on an on-prem Exchange server is not typically stored in Microsoft’s cloud. Therefore, Microsoft’s BAA would not apply in this scenario.
Exceptions to this would be:
- During a migration from on-prem Exchange to Office 365, organizations often migrate their email in sequences. This creates a hybrid situation of on-prem Exchange and Office 365 in the cloud.
- Some organizations backup their Exchange data to the cloud. This scenario is outside the scope of this post.
Microsoft Exchange Server (On-Prem Solution)
We can look at two high level aspects of HIPAA compliance when it comes to on-prem software solutions:
- Is the data at-rest on the server encrypted?
- Is the data in-motion that’s sent by the server encrypted?
As for the underlying server, Exchange must be run on the Windows Server Operating System. It’s fairly straightforward to encrypt entire disk drives on Windows Server. This would effectively cover the first aspect- encrypting data at-rest on the server.
As for the data in-motion as it applies to Microsoft Exchange outbound email, it does not offer encryption in transit for all email recipients. This is where solutions like the Paubox HIPAA Compliant Email can come in.
In a nutshell, Microsoft Exchange can leverage Paubox Encrypted Email to gain HIPAA compliance.
Data in Motion on Microsoft Exchange (Other Considerations)
Of note when it comes to data in-motion for Microsoft Exchange, it also offers:
- Webmail access via Outlook Web Access (OWA)
- POP access
- IMAP access
For OWA and HIPAA compliance, a secure SSL connection (HTTPS) must be in place for all webmail connections.
The same is true for POP and IMAP access, although we recommend disabling both of them. As a replacement, ActiveSync can be used, which is effectively better than both POP and IMAP.
NOTE: Consult with your Exchange Administrator regarding configuring your Exchange server in a HIPAA compliant manner.
Does Microsoft Exchange Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate.
We saw that the on-premise versions of Microsoft Exchange can be configured for HIPAA compliance.
On-prem Microsoft Exchange Server can be configured for HIPAA compliance.
At a high level, here’s what needed:
- The data at-rest on the server is encrypted
- The data in-motion is encrypted
HIPAA Compliant Email solutions like Paubox can provide HIPAA compliance for all email data sent by Microsoft Exchange.
SEE ALSO: Setup Paubox with Microsoft Exchange