Microsoft Outlook and HIPAA Conformity

July 23, 2018

 

Software or an electronic mail application platform can never be fully HIPAA conforming, as conformity is reliant on how the software is being used instead of the software itself. Nevertheless, software and electronic mail facilities can make it simpler to abide by HIPAA. For this to occur the software should include a range of safety features to make sure that any information uploaded to and broadcast through the facility can be done so securely, without exposing the confidential files.

The platform provider should complete a business associate agreement with        HIPAA-protected bodies, saying that they will abide by the prerequisites of the HIPAA, Secrecy, Safety, and Breach Notification Laws in order to be thought conforming.

Microsoft has already started making several of its facilities appropriate for healthcare companies by agreeing to complete a business associate contract. Essentially for healthcare groups, the BAA doesn’t include all of Microsoft’s software and facilities.

Outlook.com and Office 365 Outlook HIPAA Conformity

Outlook.com is a free, web-based electronic mail platform that appears similar to the Outlook product available as part of the Office 365 set. Nevertheless, it’s different. Outlook.com is a useful product and has not been planned with companies in minds and so must not be used by healthcare groups, at least not for publicizing ePHI.

Microsoft backs HIPAA conformity for its Office 365 variety of uses, and will conclude a business associate contract with healthcare groups for the enterprise version of Office 365; nevertheless, in order to complete with HIPAA, it is important to buy the right package. An important part of HIPAA conformity is keeping audit logs, which are not obtainable in Office 365 for Business. HIPAA conformity is only backed for certain of the plans available, and all of the characteristics needed for HIPAA conformity are only obtainable in the Enterprise E3 and E5 subscriptions.

It’s possible for Office 365 and the related Microsoft Exchange Online facility to be HIPAA conforming if protected by a BAA; nevertheless, care should be taken to set up these facilities properly and extra controls are required prior to Office 365 Outlook can be thought HIPAA conforming. Microsoft delivers enterprise-level encryption, Microsoft Exchange Online Safety, data loss prevention (DLP), and the capability to erase data from mobile appliances. Provided these facilities are used and applied correctly, access controls are set up, audit logs are preserved, single sign-on and two-factor verification are switched on, data standbys are carried out and staff gets training on the use of electronic mail for sharing ePHI, Outlook can be HIPAA conforming. Simply finalizing a business associate contract with Microsoft will not, by itself, assure conformity with HIPAA Laws.

Microsoft will conclude a BAA but states openly that having a BAA doesn’t in itself assure conformity with HIPAA Laws. “By offering a BAA, Microsoft assists support your HIPAA conformity, however using Microsoft facilities doesn’t on its own accomplish it. Your business is accountable for making sure that you have a satisfactory conformity program and internal procedures in place, and that your specific use of Microsoft facilities aligns with HIPAA as well as the HITECH Law.”