How do I make my Microsoft 365 account HIPAA compliant?

Microsoft 365 is a product family of productivity software, collaboration, and cloud-based services owned by Microsoft. This allows you to access a variety of apps using just one account. 

The answer to whether Microsoft 365 is HIPAA compliant is complex. The software can be HIPAA compliant, but some steps must be taken. 

What is Microsoft 365?

Microsoft 365 is a software package that gives you access to Word, Excel, PowerPoint, and Outlook apps. You can use your Outlook email address and password to access each. Different packages are available, from the free version to Office Enterprise and everything in between, each with its own features and benefits.

Steps to creating a HIPAA compliant Microsoft 365 account

1. Purchase a HIPAA compliant Microsoft 365 version

Microsoft offers specific subscription plans designed for HIPAA compliance, which include security and compliant features. These plans provide a solid foundation for building a HIPAA-compliant environment. 

Which versions of Microsoft 365 are HIPAA compliant?

1. Office 365 (Commercial): Office 365 is a commercial public cloud service providing individuals and organizations with productivity and collaboration tools at a more affordable price for smaller businesses. 
2. Office 365 Government Community Cloud (GCC): The Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments and contractors holding or processing data on behalf of the US Government. 
3. Office 365 Government Community Cloud - High (GCC High): The Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information.
4. Office 365 DoD (DoD): The Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations.

2. Sign a business associate agreement

Due to its involvement in handling and storing protected health information (PHI), Microsoft 365 is considered a business associate. As such, it is required for Microsoft 365 to establish a business associate agreement (BAA) with the covered entity it serves. This agreement outlines the responsibilities and obligations within the relationship between Microsoft and the covered entity. 

Microsoft's website states that a BAA is "available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA."

Related: Business associate agreement provisions

3. Email configuration and encryption with Microsoft 365

Microsoft does offer some guidance on configuring Microsoft 365 to meet HIPAA requirements. Review the HIPAA implementation document provided by Microsoft and ensure that the necessary settings are in place. 

4. Encrypt all email by default

Depending on the email setup and configurations of the recipient using email clients or accounts that do not belong to Microsoft, there may be cases where the encrypted emails sent from Microsoft 365 encounter compatibility issues. This creates the problem of the recipient being unable to access the encrypted content or experiencing difficulties in reading the email message, creating a massive inconvenience in communication. 

That's why you should use a HIPAA compliant email service. Configure your Microsoft 365 email to route through a service, like Paubox, for encryption by default. This is the safest and most convenient way to ensure all email is HIPAA compliant. 

Related: Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance

Microsoft 365 Security measures

1. Data encryption: Protects data at rest and in transit through the encryption of data stored in Microsoft 365 data centers and data transmitted between client devices and Microsoft servers.
2. Access controls: Microsoft 365 ensures access control by only allowing authorized individuals to access PHI.
3. Threat protection: Advanced threat protection technologies are provided to safeguard against cyber threats. 
4. Compliance tools: Microsoft 365 offers various compliance tools such as data loss prevention (DLP) policies, which help prevent the accidental or intentional disclosure of sensitive information, and eDiscovery, which facilitates legal and regulatory compliance by enabling efficient search and retrieval of relevant data.
5. Mobile device management (MDM): MDM capabilities help to manage and secure mobile devices accessing PHI.
6. Data residency and sovereignty: Customers can choose the geographic location where their data is stored. This helps organizations comply with data residency and sovereignty requirements specific to their region or country.

Microsoft 365 is not inherently HIPAA compliant, but it is possible by following several steps. Note that a deterrent from using Microsoft 365 is the complexity of ensuring your email is HIPAA compliant. This process is made more accessible with a third-party service allowing for greater assurance of your practice's HIPAA compliance. 

Related: Microsoft 365 versus Paubox: which is easier? (2023 update)