Is Microsoft Outlook HIPAA Compliant?

Although Microsoft has developed a number of products to meet the needs of businesses in regulated industries, not all are HIPAA compliant. Is Microsoft Outlook HIPAA compliant? That depends on the version of Outlook used, how it is configured, and the content of the Business Associate Agreement supporting the service.

As HIPAA is technology neutral, it makes no recommendations about what software can be used or how it should be configured. What is stipulated with the HIPAA regulations is that any software used to create, maintain or transmit Protected Health Information (PHI) must satisfy the administrative, technical and physical safeguards of the Security Rule.

Furthermore, by providing a service to a HIPAA Covered Entity, Microsoft automatically becomes a Business Associate (as its systems have access to PHI). Therefore, before using any of Microsoft´s product or services to create, maintain or transmit PHI, a Covered Entity must sign a Business Associate Agreement with Microsoft.

Is Microsoft Outlook HIPAA Compliant?

This depends on which version of the software is used. Standard Outlook software is targeted at consumers and not suitable for communicating PHI. By comparison, the Outlook software packaged into Office 365 for Business can be HIPAA compliant if supported by an E3 or E5 Enterprise Agreement, Microsoft Exchange Online Protection and a Business Associate Agreement.

The reason for an E3 or E5 Enterprise Agreement being necessary is because Office 365 for Business alone does maintain audit logs – a feature that is required by HIPAA, but only available at a premium from Microsoft. Microsoft Exchange Online Protection provides many other HIPAA compliant features, such as encryption, data loss prevention, and the facility to remotely remove data from mobile devices.

Not only do these features have to be enabled in order for the enterprise version of Microsoft Outlook to be HIPAA compliant, but the software has to be configured for access controls, single sign on, data backups and two factor authentication. Thereafter, it will be necessary to provide training to end users on how the software is set up and how it should be used compliantly.

Check the Microsoft Outlook BAA Carefully

One further item to consider before deciding is Microsoft Outlook HIPAA compliant is Microsoft´s Business Associate Agreement (BAA). Even if a Covered Entity has subscribed to an appropriate Enterprise Agreement and Microsoft Exchange Online Protection, not every product and service provided will be included in the BAA.

Covered Entities need to ensure the products and services they wish to use in order to create, maintain or transmit PHI are covered by the BAA. They also need to be aware that having a BAA does not guarantee HIPAA compliance. As an answer given in Microsoft´s community forum relating to is Microsoft Outlook HIPAA compliant states:

“By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Covered Entities and Business Associates unsure about using Microsoft products and services to create, maintain or transmit PHI in compliance with HIPAA should seek professional advice.