Yes, Microsoft Office 365 can be used as part of a secure HIPAA compliance program. Several Office 365 plans combine the Microsoft Office Suite products we all know and love with Microsoft’s cloud-based software as a service product line to provide an ideal solution for healthcare providers who require HIPAA compliant software.
But how can you be sure which plan to choose?
Once a service agreement with Microsoft is signed, can you be confident you are HIPAA compliant?
In this post, we explore differences between available Office 365 plans and features that can help position you for HIPAA compliance success.
Office 365 Plans that Support HIPAA Compliance
When you sign up for Office 365, pay close attention to the security and compliance features included with each plan. The Office 365 for Home and Office 365 Personal plans can be ruled out because they only support basic security features like sign-activity logging, notifications of changes to your user account, two-step sign-in verification and trusted device lists.
For HIPAA compliance you need the more advanced security options available in the Office 365 Business and Microsoft 365 Business.
Is Microsoft Office 365 Business HIPAA Compliant?
There are two Office 365 Business plans available on Microsoft’s website: Office 365 Business Essentials and Office 365 Business Premium. Both of these plans offer Office applications with collaboration services including email, calendars, contacts and Microsoft teams. Microsoft provides a handy feature comparison chart that summarizes the features available in these plans (found here).
The security and compliance features included in Office 365 Business plans include:
- Protection from spam and malware for Exchange Online
- Advanced Outlook.com security
- Security groups and custom permissions that control what users have access to documents containing PHI
- Strong support for password policies
- International, regional and industry-specific standards and terms, with more than 1,000 security and privacy controls
Specific instructions for tailoring these features to support your organization’s HIPAA compliance program is beyond the scope of this article, but fortunately Microsoft provides documentation to get you started. If you still have questions, the team here at Gazelle can work with you to make sure you are taking advantage of the features included with your plan.
Is Microsoft Office 365 Business Premium HIPAA Compliant?
When you’re ready to take your HIPAA compliance game to the next level, Microsoft 365 Business is ready and waiting. In addition to the baseline security and compliance features listed above for Office 365 plans, the 365 Business plan also includes:
- Advanced Threat Protection to guard against sophisticated threats in email attachments and links, defenses against zero-day threats, ransomware, and protection from advanced malware attempts
- The ability to remote wipe company data from lost or stolen devices
- Mobile App Protection that restricts copying or saving of company information by unauthorized apps
- Information Rights Management to apply restrictions on documents, like “Do Not Copy” and “Do Not Forward”
- Pre-breach threat resistance for Windows 10 from Windows Defender Exploit Guard
- Malware protection to keep Windows 10 devices safe from viruses, spyware and other malicious software
- Long-term email archive preservation policies with Exchange Online Archiving
In addition to the resources listed above, Office 365 Business Users have access to the Office 365 security roadmap which includes Microsoft’s suggested security priorities for your first 30 days, 90 days, and beyond.
There are so many security and compliance features available for Office 365 Business that it could take months to get set up. If you still need help prioritizing which features are most important for your organization, send Gazelle Consulting a message.
Will Microsoft Sign a Business Associate Agreement?
A copy of the Microsoft business associate agreement is available for download from Microsoft’s licensing website, and specifies that “Office 365 Services” are included in the scope of the agreement. Setting up your business associate with Microsoft is as simple as agreeing to their terms of service.
Takeaways
- Microsoft Office 365 Business Essentials and Office 365 Business Premium can both be configured for HIPAA compliance
- Microsoft has a Business Associate Agreement available on their site
- Check out our blog for more guidance on Choosing HIPAA Compliant Software
Do you want help in configuring your Office 365 security settings, or have other software questions? Gazelle Consulting can make HIPAA compliance feel like a delightful bound through a grassy savanna. Give us a call at (503) 389-5666 or email us at info@gazelleconsulting.org (no lions please!).