Is Microsoft 365 HIPAA Compliant?

Office 365 HIPAA compliance is a pressing concern for an increasing number of healthcare companies. Microsoft’s robust cloud solution lets providers keep records and communicate with ease — but is it too easy? Can sensitive information really be protected if it’s stored in the cloud?

Cloud computing has been making inroads into the healthcare industry for several years. It offers numerous benefits as a strategy, enabling organizations and care providers to expand where and how they can use tech. By making it easier for providers to keep and reference patient records, even when they’re on the go, cloud computing improves and simplifies the patient experience.

This move to the cloud is positive for healthcare as a whole, but it places additional responsibility on compliance and security specialists. Fortunately, the task of finding HIPAA-compliant cloud software is becoming easier as more vendors and developers recognize the market demand. Many solution providers have now adapted their offerings to meet the HIPAA needs of healthcare organizations.

Microsoft 365, arguable the most widely used cloud service, is a standout example. It offers HIPAA compliance for all healthcare organizations that have and properly use a business associate agreement (BAA). In this article, you’ll learn more about what Microsoft has done to enable its 365 suite to meet HIPAA requirements and which aspects of data protection remain the responsibility of providers.

HIPAA BAA and Microsoft 365

The HIPAA compliance level of any cloud solution depends on the user organization’s BAA. One of the most convenient features of Microsoft 365 for the healthcare client is that it provides a BAA as a standard element of service.

What is a BAA?

A business associate agreement is a contract between a HIPAA-covered entity (such as a doctor’s office or hospital) and an associated business. As soon as any protected health information (PHI) gets uploaded to the cloud, both parties are automatically subject to HIPAA regulations. For that reason, you need to have a BAA in place with a cloud vendor before you implement any solution related to patient data.

How does Microsoft’s BAA work?

By default, Microsoft offers its BAA as part of its Online Services Terms to users who are covered entities or business associates as defined by HIPAA. The BAA covers Dynamics 365, Office 365 and some other cloud services.

If you’re considering Microsoft as a solution provider, review the BAA in detail to ensure that the covered services and terms of the BAA meet your needs. Microsoft does not modify its BAA by customer request, so the terms need to be sufficient as written.

Microsoft 365 Security Controls and HIPAA Requirements

To confirm that its security practices align with recommendations from HIPAA’s official publisher, the U.S. Department of Health and Human Services (HHS), Microsoft has undergone information security audits under the ISO 27001 standard . This standard evaluates multiple aspects of an organization’s IT security, including whether it follows HHS recommendations.

The results confirm that Office 365 includes all of the HIPAA security and privacy controls necessary for compliance. You can access these controls through the Microsoft 365 Compliance Center.

The Microsoft Compliance Center

The Microsoft Compliance Center gives customers access to the tools and information they need to manage compliance. It includes features like:

  • Your Compliance Score, a risk-based metric that measures progress toward risk reduction
  • An active alerts card, which lists your security notifications and points you toward more detailed information
  • A data classification section to help you properly organize important data
  • A reports section with information about third-party apps, shared files and more
  • A permissions section that lets you manage access within your organization
  • A solutions section with detailed information about your organization’s compliance strategies
  • A data loss protection tool to let you track sensitive information

The Compliance Center is a robust resource. It’s available to all Microsoft business customers, but some features, like advanced threat management, sensitivity labels for data classification, some DLP functionality, may not be available unless you have a top-level license.

Microsoft 365 Security Features for HIPAA

Microsoft provides many security features to help enterprises maintain compliance with specific regulations. Those particularly relevant to HIPAA are:

  • Least-privilege access: This feature limits the risk and impact of data breaches by granting elevated access to only those who require it.
  • Privacy Readers: Microsoft recommends that customers with a BAA should designate representatives as HIPAA Privacy Readers, which gives them access to Message Center notifications about possible breaches involving electronic protected healthcare information (ePHI).
  • End-to-end encryption: Microsoft encrypts all data when it is uploaded to or stored on the company’s servers. It is also encrypted when it is transferred outside of Microsoft facilities (encryption in transit); however, some information, including data in email subject lines and address fields, can’t be encrypted due to standard internet protocols. Therefore, Microsoft recommends that all users train personnel to never include ePHI in the To, From, or Subject lines of an email.
  • Data Loss Prevention: ePHI is protected from sharing to unauthorized viewers.
  • Multi-Factor Authentication: Users must provide information sent to another device or account before they are allowed to log in.
  • Audit logs: Administrators can view who has seen, opened, shared or trashed documents.
  • Data backups: This feature is required under HIPAA so that exact copies of ePHI can be restored when necessary.
  • Security configuration: Microsoft allows customers to change their security settings on many services covered by the BAA. For HIPAA compliance, the safest strategy may be to set the strictest possible parameters. Detailed configuration instructions are available in Microsoft’s HIPAA implementation guide.

How Microsoft Handles Security Breaches

Microsoft’s BAA states that should a security breach occur, the company will notify all of your account’s global admins and all users who have the Privacy Reader designation within 30 days.

Microsoft does not notify your customers of a breach. That responsibility falls to you under HIPAA, which requires all covered entities to notify affected individuals if a breach involves unsecured ePHI. Microsoft also doesn’t submit any required notifications to the Secretary of HHS or the media.

In the case of a breach of a potential ePHI repository, Microsoft is not responsible for scanning stored data to determine whether any ePHI has actually been compromised. You will receive notification that a breach has occurred. You then have to assess whether any ePHI has been compromised and what the degree of the impact is if any.

Office 365 HIPAA Compliance Configuration: Best Practices

Microsoft is very clear that, in the end, the responsibility for HIPAA compliance lies with the customer. The vendor recommends that all companies establish a set of procedures and policies to help their personnel use Office 365 in a way that supports compliance. Here are some of the most important steps to follow during the setup process.

1. Check service details.

  • Make sure that the products you plan to use are within the scope of Microsoft’s HIPAA Compliance Services.
  • Review the BAA to make sure that the included security and privacy practices meet your needs.

2. Set up access control procedures.

  • In your Microsoft 365 Message Center, specify your Privacy Readers.
  • Turn on access tracking for your administrators so you can see when they access user accounts.

3. Provide training on PHI exclusion.

  • Administrative personnel should not enter ePHI in any directories, address books or global address lists.
  • No personnel should share ePHI in troubleshooting or support conversations with Microsoft.
  • Users should not reference ePHI in any file names, email headers or publicly accessible SharePoint locations.
  • Users should not send ePHI by email except to explicitly authorized users.

4. Establish procedures for access review.

  • Regularly review user access to all ePHI storage repositories.
  • Regularly examine user access permissions, password changes and additions to shared resources.
  • Create a protocol for updating access rights in the event of personnel changes.

How Netwrix Helps Microsoft 365 Customers

Complying with HIPAA is no small task, and adding compliance related to cloud services can tax the resources of even the most robust organization. Netwrix can take much of that load off of your shoulders with its solution for HIPAA compliance.

Know exactly where you store ePHI

The Netwrix solution can identify the specific OneDrive for Business repositories, Exchange Online mailboxes and SharePoint Online sites in your account that contain ePHI. This is the first step towards protecting that ePHI from inside and outside threats.

Reduce your attack surface area by minimizing permissions

The Netwrix solution can also help you make sure that you have the correct privileges in place. It can automatically identify and remove excessive permissions to sensitive data. It also also simplifies the access review and privilege attestation process, thus improving your chances of passing compliance audits the first time around.

Identify and respond to threats

Thanks to detailed cross-system visibility, the Netwrix solution can spot red flags that could indicate insider threats, like failed access attempts, privilege escalation and unusually high numbers of reads, and detect signs of ransomware in progress. It enables you to easily drill deep into suspicious activities so you can block threats before they cause serious damage.

If there is a breach, whatever its source, Netwrix can help you determine the severity of the incident, enabling you to meet all requirements for notifying authorities and affected users.

Microsoft 365 and HIPAA Compliance FAQ

Are there any HIPAA concerns with using Office 365?

As long as you carefully review Microsoft’s BAA and understand the scope of its security and compliance protections, confirm that those protections meet your HIPAA compliance needs, and have all required security controls on your end, you should have few if any concerns about HIPAA compliance.

Office 365’s HIPAA protections are robust, but ultimately, compliance is your responsibility as the HIPAA covered entity.

Which Microsoft Office 365 plan is HIPAA compliant?

Microsoft offers its HIPAA compliance BAA to users of Office 365 Business, Office 365 US Government, and Office 365 US Government Defense. However, lower-level licenses of these services (Business Basic, Business Standard and Business Premium, for example) may not have all of the advanced security features you’ll want to use to maintain your compliance.

Microsoft recommends that users seeking HIPAA compliance enable top-level security protections. Some of these protections, including anti-phishing threat explorers and data loss prevention, are only available for holders of higher-tier Enterprise licenses.

Does having a BAA with Microsoft guarantee compliance with HIPAA and the HITECH Act?

No, a BAA doesn’t guarantee compliance. The BAA’s purpose is to clarify what compliance requirements are the responsibility of the HIPAA business associate. For example, if there is a breach in your Microsoft Office 365 account, Microsoft will notify you that it has occurred.

Under even the most robust BAA, you as the cloud service customer still have responsibilities for maintaining compliance. You need to establish and maintain an internal compliance program that addresses everything required of you as a HIPAA-covered organization. For example, you need to have internal policies, procedures and processes in place to ensure that your personnel act in a way that doesn’t violate HIPAA regulations.

Microsoft’s BAA helps you adhere to HIPAA principles when using the company’s services, but it won’t do everything for you. You still need to make sure that your team uses Office 365 in a way that aligns with each rule of HIPAA and the HITECH Act.

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.