Is Microsoft Exchange HIPAA compliant?

Featured image

Share this article

Is Microsoft Exchange HIPAA Compliant? - Paubox

This week we got asked about Microsoft Exchange and an organization’s ability to use in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

Today, we will determine if Microsoft Exchange offers HIPAA compliant service or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

Microsoft Exchange

Microsoft Exchange is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.

The first version of Exchange Server was Exchange Server 4.0. The current version is Exchange Server 2019.

Microsoft is well-known for having confusing marketing language and Exchange is no exception.

In a nutshell, the original Microsoft Exchange server solution was designed to be installed on-premise (On-prem). In U.S. Healthcare, it’s no secret that on-prem Exchange servers remain prevalent.

Microsoft however, is also marketing Exchange Online, which is essentially Exchange in the cloud. To add to the confusion, Exchange Online is also bundled into Microsoft 365.

For the purposes of this post, we will focus on the on-prem version of Microsoft Exchange Server.

Microsoft Exchange and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We’ve also previously covered that for its cloud offerings, the Microsoft Trust Center has a page called HIPAA and the HITECH Act. It outlines the cloud services covered by the Microsoft Business Associate Agreement (BAA).

Since the scope of this post is on-prem Microsoft Exchange, data on an on-prem Exchange server is not typically stored in Microsoft’s cloud. Therefore, Microsoft’s BAA would not apply in this scenario.

Exceptions to this would be:

  • During a migration from on-prem Exchange to Microsoft 365, organizations often migrate their email in sequences. This creates a hybrid situation of on-prem Exchange and Microsoft 365 in the cloud.
  • Some organizations backup their Exchange data to the cloud. This scenario is outside the scope of this post.

Microsoft Exchange Server (On-Prem Solution)

We can look at two high level aspects of HIPAA compliance when it comes to on-prem software solutions:

  • Is the data at-rest on the server encrypted?
  • Is the data in-motion that’s sent by the server encrypted?

As for the underlying server, Exchange must be run on the Windows Server Operating System. It’s fairly straightforward to encrypt entire disk drives on Windows Server. This would effectively cover the first aspect- encrypting data at-rest on the server.

SEE ALSO: Free Windows Encryption tools for HIPAA Compliance

As for the data in-motion as it applies to Microsoft Exchange outbound email, it does not offer encryption in transit for all email recipients. This is where solutions like the Paubox HIPAA Compliant Email can come in.

In a nutshell, Microsoft Exchange can leverage Paubox Email Suite to gain HIPAA compliance.

Data in Motion on Microsoft Exchange (Other Considerations)

Of note when it comes to data in-motion for Microsoft Exchange, it also offers:

  • Webmail access via Outlook Web Access (OWA)
  • POP access
  • IMAP access

For OWA and HIPAA compliance, a secure SSL connection (HTTPS) must be in place for all webmail connections.

The same is true for POP and IMAP access, although we recommend disabling both of them. As a replacement, ActiveSync can be used, which is effectively better than both POP and IMAP.

NOTE: Consult with your Exchange Administrator regarding configuring your Exchange server in a HIPAA compliant manner.

Does Microsoft Exchange Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate.

We saw that the on-premise versions of Microsoft Exchange can be configured for HIPAA compliance.

Conclusion:

On-prem Microsoft Exchange Server can be configured for HIPAA compliance.

At a high level, here’s what needed:

  • The data at-rest on the server is encrypted
  • The data in-motion is encrypted

HIPAA Compliant Email solutions like Paubox can provide HIPAA compliance for all email data sent by Microsoft Exchange.

SEE ALSO: Setup Paubox with Microsoft Exchange

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022