We originally wrote about Microsoft 365 and its ability to provide HIPAA compliant email in 2017.
In our initial review, we found that three versions of Microsoft 365 were HIPAA compliant.
It should be noted Microsoft 365 is the brand name Microsoft has chosen to brand disparate services such as email, storage, and chat. Microsoft formerly referred to it as Office 365.
Now that it’s 2023, perhaps Microsoft 365 has changed its stance on providing HIPAA compliant email service. As such, we’ll revisit the question: Is Microsoft 365 HIPAA compliant?
See related: Is Hotmail HIPAA compliant? (2023 update)
About Microsoft 365
Microsoft 365 is a subscription-based service that provides access to a suite of Microsoft's productivity and collaboration tools, including the latest versions of Windows, Office applications (Word, Excel, PowerPoint, etc.), email, and storage (OneDrive). It also includes various enterprise-level security and management features.
Microsoft 365 and the business associate agreement
There’s a primary item to consider when it comes to Microsoft 365 and its ability to provide a HIPAA compliant service.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Microsoft 365, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its platform.
We checked Microsoft’s site and found a page called, Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act. The page outlines each Microsoft product that is considered in scope for the Microsoft BAA
The page is a bit confusing, as it refers to Microsoft 365 as Office 365 in numerous places. In a nutshell however, we were able to learn that the following verions of Microsoft 365 are considered in scope of the Microsoft BAA:
- Office 365 (Commercial). The commercial public Office 365 cloud service available globally.
- Office 365 Government Community Cloud (GCC). The Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
- Office 365 Government Community Cloud - High (GCC High). The Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information.
- Office 365 DoD (DoD). The Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations.
Does Microsoft 365 offer HIPAA compliant email service?
The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a covered entity and a business associate.
In regards to being considered a HIPAA compliant email solution, we were able to learn the following about Microsoft 365 and its parent company Microsoft:
- Four versions of Microsoft 365 can be HIPAA compliant and are considered in scope by the Microsoft BAA.
Conclusion: As we originally concluded in 2017, Microsoft 365 remains HIPAA compliant.
In addition, the Microsoft BAA has expanded to include an even wider array of Microsoft 365 versions.
Make sure you sign a BAA with Microsoft before using Microsoft 365 to store or transmit any PHI.