We have been getting quite a bit of questions from prospective customers about Outlook.com and whether or not it’s a HIPAA compliant email platform. In previous posts, we’ve covered email providers like Gmail, Yahoo, GoDaddy, IPOWER and HostGator and their capabilities for HIPAA compliant email. The purpose of this post is to determine if Outlook.com is HIPAA compliant or not.
What is the Difference between Outlook.com and Hotmail?
Hotmail was founded in 1996 as one of the world's first free webmail services. It was acquired by Microsoft in 1997 and was soon rebranded as MSN Hotmail. It was later relaunched to Windows Live Hotmail as part of the Windows Live suite of products. In 2013, Hotmail was replaced with Outlook.com, which features Microsoft's Metro design language, and closely mimicked the interface of Microsoft Outlook. Outlook.com is not the same product as Office 365.
Is Outlook.com HIPAA Compliant?
As you're aware by now if you've been reading our blog, a Business Associate Agreement is a written contract between a covered entity and a Business Associate and is required for HIPAA compliance. Since every HIPAA compliant vendor must sign a Business Associate Agreement with the Covered Entities they serve, we can google to see if Microsoft offers a BAA for their Outlook.com service. If you've ever tried to find information about a product on Microsoft's websites however, you know how frustrating finding relevant information can be. First, we found a 2013 press release by Microsoft about their updated Business Associate Agreement provisions. In it, they mention, "Microsoft’s updated BAA covers Office 365, Microsoft Dynamics CRM Online and Windows Azure Core Services." We see then, that some of Microsoft's services are covered by a Business Associate Agreement and therefore meet HIPAA compliance standards.
What was not mentioned in that press release however, was any mention of Outlook.com and HIPAA compliance. Second, we found a page on Microsoft's site entitled "Office 365 & Microsoft Dynamics CRM Online HIPAA/HITECH frequently asked questions." Here again we see a reference that some, but not all, Microsoft products are built for HIPAA compliance: "Office 365 and Microsoft Dynamics CRM Online help their customers stay compliant with HIPAA and the HITECH Act." Office 365 and Microsoft Dynamics CRM are mentioned as being HIPAA compliant, but not Outlook.com. Third, we found a reference to Outlook.com and HIPAA compliance on a Microsoft Community forum. In it, someone in 2013 asks the question, "Is outlook.com HIPAA Compliant?" Seven months later, a Microsoft Forum Moderator replies to the question with: We understand that you would like to verify if Outlook.com complies with HIPAA. Since Outlook.com is a consumer service, it is not a HIPAA complaint. If you wish to use it with HIPAA compliance requirements, please consider Microsoft Office 365.
Conclusion:
Although Microsoft puts a lot of marketing spin on their website, don't be confused- Outlook.com is not a HIPAA compliant service. Microsoft does not mention Outlook.com being HIPAA compliant in their press releases, their HIPAA FAQ section, nor in their support forums.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.