Is Office 365 HIPAA Compliant?
Microsoft Office 365 is a productivity suite of tools we all know and love. With the help of O365, all businesses – not just HIPAA-covered healthcare providers – have been able to transform the way they take on and complete administrative tasks, and this has benefited the business time and time again.
As O365 has become an essential aspect of almost every business, the question remains: is Office 365 HIPAA compliant?
So, Is It a ‘Yes’ Or a ‘No’?
It’s a yes! But as with everything these days, it’s not just a simple ‘yes’ whereby you can expect to install the suite and then wash your hands of any future HIPAA responsibility. As a managed service provider, we’re here to lay out the ins and outs of the situation.
The Ins and Outs of Office 365 HIPAA Compliance
Office 365 is a HIPAA-compliant product – but only with a signed business associate agreement (BAA) and correct product usage. The BAA is a standard requirement of HIPAA compliance, and Microsoft offers this by default to its subscription customers that are covered entities or business associates.
A BAA must be obtained before Office 365 is used to share, store, or maintain protected health information (PHI). The use of Office 365, though, does not automatically make your business HIPAA compliant.
As a covered entity, you are required to check and correctly configure access controls, turn on administrative tracking features, and ensure that your staff is trained to use Office 365 correctly and in compliance with HIPAA standards.
Know How to Use It
Making sure Office 365 HIPAA compliance is in effect depends entirely on how you use the product, and there are a few things you should be aware of when ensuring your Office 365 software is HIPAA compliant.
While Microsoft provides end-to-end encryption for stored and uploaded data to a server in the cloud or data transmitted beyond its servers, it doesn’t provide encryption for everything.
For instance, file names, email subject lines, and message headers are free from encryption, so employees must be made aware that these areas should not include PHI.
Know Who Has Access
To comply with HIPAA, all organizations must also have a documented access management plan and be able to maintain a log of the employees’ activities. Access management requirements are vast and can include everything from restricting or monitoring the use of devices like smartphones and tablets to ensuring that employees do not share sensitive information over unsecured networks.
As part of Microsoft’s commitment to boosting tech security, it has implemented an auditing option for Office 365. This new feature gives users the ability to create logs that are available upon request.
By limiting what can be seen, the auditing feature is meant to curb any potential risks.
Back Up, Back Up, Back Up
One of the most crucial aspects of your business is the PHI that it generates, which is why HIPAA compliance requires comprehensive offsite backup protocols. Microsoft does what it can to ensure its services remain up and running, but, unfortunately, online services are always subjected to disruptions and outages.
Microsoft is not responsible for data loss, so you must implement regular offsite backups of content and data stored on Microsoft Services or third-party apps or services.
Get on Board With 2FA
Two-factor authentication (2FA, multifactor authentication, or MFA) is a must. Microsoft’s BAA coverage is only enacted if 2FA is enabled. 2FA provides another layer of data protection by ensuring access is verified in multiple ways before access is granted.
Office 365 HIPAA Compliance Is Not as Easy as You Think
There are a lot of areas to consider when you’re on the road to HIPAA compliance. It’s complicated, but there are ways that you can make it less so, and Merit Technologies can help.
As a HIPAA-verified managed service provider, we can help your organization achieve its HIPAA compliance goals.
Contact us or talk with an expert to see where your organization lies in its HIPAA compliance efforts.
