This week we got asked about Microsoft Exchange and an organization's ability to use in a HIPAA compliant manner. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
Today, we will determine if Microsoft Exchange offers HIPAA compliant service or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
Microsoft Exchange is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems. The first version of Exchange Server was Exchange Server 4.0. The current version is Exchange Server 2019. Microsoft is well-known for having confusing marketing language and Exchange is no exception. In a nutshell, the original Microsoft Exchange server solution was designed to be installed on-premise (On-prem). In U.S. Healthcare, it's no secret that on-prem Exchange servers remain prevalent. Microsoft however, is also marketing Exchange Online, which is essentially Exchange in the cloud. To add to the confusion, Exchange Online is also bundled into Microsoft 365. For the purposes of this post, we will focus on the on-prem version of Microsoft Exchange Server.
We’ve previously talked about how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance. We've also previously covered that for its cloud offerings, the Microsoft Trust Center has a page called HIPAA and the HITECH Act. It outlines the cloud services covered by the Microsoft Business Associate Agreement (BAA). Since the scope of this post is on-prem Microsoft Exchange, data on an on-prem Exchange server is not typically stored in Microsoft's cloud. Therefore, Microsoft's BAA would not apply in this scenario. Exceptions to this would be:
We can look at two high level aspects of HIPAA compliance when it comes to on-prem software solutions:
Of note when it comes to data in-motion for Microsoft Exchange, it also offers:
The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. We saw that the on-premise versions of Microsoft Exchange can be configured for HIPAA compliance.
On-prem Microsoft Exchange Server can be configured for HIPAA compliance.
At a high level, here’s what needed:
HIPAA Compliant Email solutions like Paubox can provide HIPAA compliance for all email data sent by Microsoft Exchange.
SEE ALSO: Setup Paubox with Microsoft Exchange