Last week we wrote about Microsoft 365 and its ability to provide HIPAA compliant email.
Our original research in 2017 concluded that Microsoft 365 can be configured to be HIPAA compliant. Our latest research revealed an expanded set of Microsoft 365 services are now in scope by the Microsoft business associate agreement (BAA).
This post will next answer the question: How do I actually go about getting a BAA signed with Microsoft?
As a recap, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
Complete information on the Microsoft business associate agreement can be found here: Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act. The page outlines each Microsoft product that is considered in scope for the Microsoft BAA.
The actual Microsoft BAA can accessed through the Microsoft Service Trust Portal (login required).
There are no additional steps to take to obtain a BAA with Microsoft.
"The Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA."
No, Microsoft will not use a customer's business associate agreement.
There are no additional steps to take to obtain a business associate agreement with Microsoft. Be aware that: