Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Microsoft 365 is the brand name its chosen as it moves its services such as email, storage, and chat into the cloud.
For the purposes of this post, we will focus on the email component of Microsoft 365.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Citrix ShareFile
- Google Drive
- Google Forms
- Google Hangouts
The goal of this post is to determine if Microsoft 365 offers HIPAA compliant email or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Microsoft 365
Microsoft 365 is the brand name Microsoft uses for a group of software and services subscriptions, which together provide productivity software and related services to subscribers.
For business users, Microsoft 365 offers service plans providing e-mail, chat, cloud storage, as well as access to the Microsoft Office software.
Microsoft 365 and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.
We checked the Microsoft Azure Trust Center and found a page called HIPAA and the HITECH Act.
In it, Microsoft wisely points out:
“Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.”
We also found on that page that several versions of Microsoft 365 are covered by Microsoft’s BAA. Those versions are:
- Microsoft 365
- Microsoft 365 U.S. Government
- Microsoft 365 U.S. Government Defense
Does Microsoft 365 Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. Since Microsoft 365 offers one, we conclude it can be a HIPAA compliant email solution.
Conclusion: Three versions of Microsoft 365 are HIPAA Compliant and are able to adhere to regulatory compliance for healthcare organizations.
Make sure you sign a BAA with Microsoft before using Microsoft 365 to store or transmit any protected health information (PHI).