Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Office 365 by Microsoft is the brand name its chosen as it moves its services such as email, storage, and chat into the cloud.
For the purposes of this post, we will focus on the email component of Office 365.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Citrix ShareFile
- Google Drive
- Google Forms
- Google Hangouts
The goal of this post is to determine if Microsoft Office 365 offers HIPAA compliant email or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Office 365
Office 365 is the brand name Microsoft uses for a group of software and services subscriptions, which together provide productivity software and related services to subscribers.
For business users, Office 365 offers service plans providing e-mail, chat, cloud storage, as well as access to the Microsoft Office software.
Microsoft Office 365 and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.
We checked the Microsoft Azure Trust Center and found a page called HIPAA and the HITECH Act.
In it, Microsoft wisely points out:
“Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.”
We also found on that page that several versions of Office 365 are covered by Microsoft’s BAA. Those versions are:
- Office 365
- Office 365 U.S. Government
- Office 365 U.S. Government Defense
Does Microsoft Office 365 Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. Since Microsoft Office 365 offers one, we conclude it is in fact a HIPAA compliant email solution.
Conclusion: Three versions of Microsoft Office 365 are HIPAA Compliant and adhere to regulatory compliance for healthcare providers and healthcare organizations.
Make sure you sign a BAA with Microsoft before using Office 365 to store or transmit any PHI.