How to make an Outlook email HIPAA compliant

When it comes to HIPAA compliance, Microsoft Outlook requires careful consideration. Outlook.com is not HIPAA compliant and lacks the necessary security features and business associate agreements. On the other hand, Outlook in Microsoft 365 can be HIPAA compliant through proper configuration and adherence to security measures. 

Healthcare organizations must ensure that the computer and Microsoft 365 are HIPAA compliant, secure the connection, and configure Outlook with the appropriate settings. These steps allow healthcare providers to leverage Microsoft Outlook as a HIPAA compliant email solution.

Different forms of Microsoft Outlook 

To determine the HIPAA compliance of Microsoft Outlook, it's important to consider the different forms in which it exists. Outlook is available in the following versions:

Outlook.com

Outlook.com is Microsoft's successor to hotmail.com, offering free email accounts. However, Outlook.com is not configured to securely handle protected health information (PHI) or electronic protected health information (ePHI). Microsoft also does not sign business associate agreements (BAAs) for Outlook.com users, making it unsuitable for covered entities seeking a HIPAA compliant email solution.

Outlook in Microsoft 365

Outlook is included in the Microsoft 365 suite of services. Users with a Microsoft 365 subscription can access Outlook through their web browsers. When properly configured, this web-based version of Outlook can be HIPAA compliant. However, certain steps must be taken to ensure compliance.

Outlook installed on a user's computer

The version of Outlook installed on a user's computer can also be used for email communication. Like Outlook in Microsoft 365, this version can be HIPAA compliant with proper configuration and adherence to security measures.

See more: Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance 

Steps to creating a HIPAA compliant Microsoft 365 account

Choose a HIPAA compliant Microsoft 365 version

• Microsoft offers specific subscription plans designed for HIPAA compliance.
• Plans include Microsoft 365 (Commercial), Microsoft 365 GCC, Microsoft 365 GCC High, and Microsoft 365 DoD, each tailored for different organizational needs.
  
  

Sign a business associate agreement (BAA)

• A BAA is mandatory as Microsoft 365 handles and stores protected health information (PHI).
• The BAA outlines responsibilities and obligations between Microsoft and the covered entity.
• A BAA is available by default to customers covered under HIPAA.
  
  

Email configuration and encryption

• Review Microsoft's HIPAA implementation document for guidance on configuring Microsoft 365.
• Ensure that necessary settings are in place to meet HIPAA requirements.
  
  

Encrypt all email by default

• Microsoft 365 may face compatibility issues with non-Microsoft email clients, affecting the recipient's ability to access encrypted content.
• To address this, route Microsoft 365 email through a HIPAA compliant email service like Paubox for encryption by default.
• Using a third-party service ensures convenient and secure communication, overcoming compatibility challenges.

Read also: Microsoft 365 versus Paubox: which is easier?

Microsoft’s recommendations

According to the Microsoft Community page, these are the steps to ensure HIPAA compliance

• “Ensure that your Microsoft 365 subscription includes the necessary HIPAA compliance features. You can check this by logging in to your Microsoft 365 admin center and navigating to the Compliance Center.
• Configure the necessary security and compliance settings in the Compliance Center. This includes setting up data loss prevention policies, retention policies, and eDiscovery.
• Enable multi-factor authentication for all users in your organization to ensure that only authorized users can access sensitive data.
• Train your employees on HIPAA compliance best practices, including how to handle sensitive data and how to report security incidents.”
  
  

Microsoft 365 security measures

Data encryption

Safeguards data both at rest and in transit by encrypting information stored in Microsoft 365 data centers and during transmission between client devices and Microsoft servers.

Access controls 

Ensures secure access by permitting only authorized individuals to access Protected Health Information (PHI).

Threat protection

Utilizes advanced technologies to defend against cyber threats and bolster overall security.

Compliance tools

Provides a range of compliance tools, such as Data Loss Prevention (DLP) policies and eDiscovery, to prevent inadvertent data disclosure and facilitate legal and regulatory compliance.

Mobile device management (MDM)

Implements MDM capabilities to effectively manage and secure mobile devices that access PHI.

Data residency and sovereignty

Enables customers to select the geographic location for storing their data, aiding organizations in adhering to specific data residency and sovereignty requirements in their region or country.

Read also: 4 steps for building an email security strategy for healthcare organizations 

Why choose Paubox instead

Microsoft 365 is not inherently HIPAA compliant, but by following these steps, you can configure it to meet HIPAA standards. Note the complexity of ensuring email compliance, which can be simplified and assured by integrating a third-party service like Paubox. This provides a seamless and secure HIPAA compliant communication process for your organization. 

Paubox Email Suite offers a seamless solution for healthcare organizations seeking full HIPAA compliance for their email communication. Paubox encrypts all outbound emails, ensuring that sensitive information remains protected. By using the Paubox Email Suite, healthcare organizations can have peace of mind knowing their emails are 100% HIPAA compliant all the time.

Paubox's email encryption solution is designed to work seamlessly with Outlook to provide a very fluid user experience. Paubox seamlessly integrates with business email clients, including Outlook. Perhaps most importantly, no setting changes in Outlook are needed or required.

FAQS

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

See more: HIPAA Compliant Email: The Definitive Guide