February 10, 2022
  • Home
  • /
  • Blog
  • /
  • Is Office 365 HIPAA Compliant?

Is Office 365 HIPAA Compliant?

I once had a patient who used a fake ID to get healthcare services. The hospital staff called the police officers, who arrested the patient. The patient was an illegal immigrant, an undocumented alien. The hospital got hammered in the press for reporting this illegal alien who was trying to get healthcare. Such incidents occur when we don't have or follow the standards for privacy and security of health information. HIPAA: Health Insurance Portability and Accountability Act of 1996 came into existence to prevent fraud. If you work in the industry, then you have heard about HIPAA Compliance thousands of times. The importance of keeping health information confidential and electronically protected is pounded into us daily for good reason.

We all know that it is a Federal Regulation specific to two types of organizations. HIPAA is a two-sided coin — and for patients, both heads and tails are winners.


What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It's a piece of U.S. legislation that provides data privacy to ensure the sensitive medical information is protected. The law has gained importance over the years with the proliferation of health data and security breaches caused by cyberattack activities on both health insurers and providers.

The purpose of HIPAA is to provide health insurance coverage for workers that lose or change their jobs. By standardizing the electronic transmission of administrative and financial transactions, HIPAA helps reduce administrative burdens and the cost of health care in a company. There are other goals as well; these include identifying abuse, fraud, and waste in the exercise of health care and simplifying access to long-term care services and health insurance.

HIPAA Privacy Rule

The following information is protected under the HIPAA guidelines:

  • The patient’s name, address, birth date, and Social Security number
  • Person’s physical or mental health condition

HIPAA Security Rule

The HIPAA Security Rule sets national standards for securing patient data that is stored or transferred electronically. The HIPAA Security practice requires health care organizations to implement both physical and electronic safeguards to ensure the secure passage, maintenance, and reception of protected health information (PHI).

HIPAA Compliance

Healthcare companies must often rely on the services of third-party vendors, such as IT providers. However, while doing so, they run the risk of exposing PHI and violating HIPAA compliance. To make sure that they comply with the HIPAA regulations, these organizations can make use of the official HIPAA Alliance Marketplace to connect with verified vendors, referred to as Business Associates (BAs).

Is Microsoft 365 (Formerly Known as Office 365) HIPAA Compliant?

Microsoft supports HIPAA for its Office suite of products and enters into Business Associate agreements (BAA) with healthcare organizations for Enterprise versions of Microsoft 365. However, to meet all requirements, it is important that you buy the right license. An important part of this compliance is maintaining audit logs, which are not available in all Microsoft 365 plans for the business.

Microsoft also offers a HIPAA-compliant cloud platform, Microsoft Azure, for secure storage and processing of ePHI. Microsoft Azure also provides a comprehensive set of HIPAA-compliant services for data management, machine learning, etc.

The Microsoft HIPAA Business Associate Agreement

To support your digital transformation, you want to meet your compliance requirements your way. At the same time, you must choose from a wide range of services. So, you want a HIPAA BAA that enables flexibility and choice.

How to Get a Signed BAA from Microsoft

Communication Square provides you with digital flexibility with Microsoft Office 365 and HIPAA assurance. We can provide you a Business Associate Agreement which would take all the worries off your shoulders. Start exploring our Healthcare Solution to transform your business with the digital flexibility of Microsoft Office 365 and HIPAA Compliance. Microsoft itself states:

By offering a BAA, Microsoft helps support your HIPAA compliance standards, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.” – Microsoft Corporation

Office 365 Apps that Are HIPAA Compliant 

With the constantly evolving information and security threats, mixed with the complexity of meeting HIPAA regulatory mandates, hospitals today need as many built-in compliance features as possible. The Microsoft Office 365 Information Protection suite provides organizations integrated; turn-key security controls not previously available.

Outlook 365

This also includes compliant email solution options through the web-based version of Outlook Online. A HIPAA covered entity can send an encrypted email (which contains sensitive EPHI) to another user with two access options.

They can either send an encrypted email which the recipient can access by logging via their Microsoft account. Or by using a one-time passcode to view encrypted email if the recipient doesn't have a Microsoft account to ensure detecting unauthorized access. So, the answer to the frequently asked question, "Is outlook 365 HIPAA Compliant?" is YES! Microsoft Office 365 notifies you if the email contains any sensitive details. HIPAA Compliant Email can be blocked if they contain any sensitive information like health insurance number or social security etc. Thus Microsoft 365 ensures that health data is only transmitted through secure channels on devices.

Microsoft Teams

Healthcare professionals and healthcare businesses strive to provide the best possible care. Microsoft Teams enables simple, secure collaboration and communication with messages, video, voice, and tools in a single hub that supports compliance with HIPAA, HITECH, and more. It lets you bring together patients and clinicians with high-quality audio, video, and screen sharing in a secure meeting experience to help support your telehealth workflows.

SharePoint Online

While no software platform can be truly HIPAA compliant, SharePoint does incorporate the necessary administrative and technical safeguards to meet HIPAA Rules and HIPAA-covered entities and the healthcare industry can use the platform.

Microsoft will also ensure that it meets its responsibilities as a business associate, but it is the responsibility of users to ensure that HIPAA Rules are followed, and the platform is configured correctly. Covered entities must set access controls for individuals or roles, audit controls must be set, logs must be monitored, security configuration is done, and users must receive training on the use of the platform and the restrictions of HIPAA security.


There is certainly no problem with HIPAA-covered customers using OneDrive. Microsoft supports HIPAA compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules.

Before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronically protected health information of patients.

Which Office 365 Plans are HIPAA Compliant? 

The answer to that depends on the version you purchase. If it’s not, can it be made HIPAA compliant? Absolutely. We have seen the range of security tools and measures that Microsoft offers to enhance data protection. To sum up, some of the measures and steps to make Office 365 HIPAA compliant are as follows:

  • Implement end-to-end encryption
  • Create archives and audit logs
  • Add multi-factor authentication to user accounts
  • Setup process and access control mechanisms
  • Enable remote data wipes

While some of these capabilities are available with the vanilla version of Microsoft 365, organizations need more advanced features to fully comply with HIPAA standards. Meeting these compliance challenges is as much about configuring the available services correctly as it is about purchasing the appropriate package. Here are the differences between M365 Business Premium vs Enterprise. While all the features are included in Office 365 Enterprise E5, they are available as add-ons with Office 365 Enterprise E3, making HIPAA compliance a challenging prospect.

Microsoft 365 is, without a doubt, one of the most convenient and widely used packages of applications and services with some of the most advanced security features.  Yet, it needs to be configured properly to protect ePHI for HIPAA compliance and its regulatory standards. Communication Square provides industry-leading Cloud Healthcare Solutions to meet all your customized needs and get you HIPAA Compliant.

Print Friendly, PDF & Email

Last Updated 4 weeks ago

About the Author

Your routine healthcare physician and a technology enthusiast.

Farwah Aslam

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}