The way to make Microsoft 365 HIPAA compliant so it can be used to create, receive, store, or transmit Protected Health Information is to subscribe to a plan that supports HIPAA compliance and configure each product or service within the plan to mitigate the risks of reasonably anticipated threats and impermissible disclosures.
Microsoft 365 is a collection of cloud-based products and services that can be used together or independently of each other to improve productivity, collaboration, and communication. The products and services are packaged together in a number of different Microsoft 365 plans to meet the needs of different size organizations with different requirements.
When a Microsoft 365 plan is used by a healthcare provider or health insurance company covered by the Health Insurance Portability and Accountability Act (HIPAA), the products and services must support the organization’s HIPAA compliance efforts if they are going to be used to create, receive, store, or transmit Protected Health Information (PHI).
This means it must be possible to configure the products and services to support safeguards such as access controls, incident reporting, and encryption. Support for additional safeguards may also be required depending on state and local regulations that preempt HIPAA, or depending on threats to data privacy and security identified in a risk assessment.
Not All Microsoft 365 Plans Support HIPAA Compliance
Not all Microsoft 365 plans support HIPAA compliance. Of those that do, none are compliant by default. In order to make qualifying plans HIPAA compliant, organizations must enter into a Business Associate Agreement with Microsoft, configure the products and services to support compliance, and train members of the workforce to use the products and services compliantly.
However, before doing any of this, it is necessary to identify which plan – and add-ons where appropriate – is best suited to an organization’s requirements. The way to do this is to conduct a risk assessment to identify reasonably anticipated threats to the confidentiality, integrity, and availability of PHI and the potential for impermissible disclosures of PHI.
The outcome of the risk assessment will enable healthcare providers and health insurance companies to select the most suitable plan. Provided the organization identifies itself as a HIPAA covered entity or business associate when signing the plan’s Service Agreement, a Business Associate Agreement with Microsoft is executed automatically.
Making Microsoft 365 HIPAA Compliant
The next stage of making Microsoft 365 HIPAA compliant is to configure the products and services to support compliance with the applicable safeguards of the Security Rule. Some of the safeguards (i.e., many of the Physical Safeguards) are already covered by Microsoft, but it will be necessary for each organization to establish which other safeguards apply.
Establishing which other safeguards apply may depend on what other security measures already exist. For example, if workplace and workforce devices already have automatic logoff capabilities enabled, it will not be necessary to configure the Idle Session Timeout controls to make Microsoft 365 HIPAA compliant with this particular Technical Safeguard.
System administrators that require help configuring the products and services to make Microsoft 365 HIPAA compliant should refer to the Microsoft 365 Admin Center. Once the configuration process is completed, it is advisable to check for gaps in compliance efforts and policy oversights by running tests in the Purview Compliance Manager.
Using Microsoft Products and Services Compliantly
Subscribing to a HIPAA compliant Microsoft 365 plan, entering into a Business Associate Agreement with Microsoft, and configuring the products and services to support compliance may make Microsoft 365 HIPAA compliant, but it is also important that the products and services are used compliantly by members of the workforce.
This does not necessarily mean providing HIPAA training on how to send an email. Depending on the workforce’s existing level of HIPAA knowledge, it may mean providing refresher training on uses and disclosures of PHI, when the minimum necessary standard applies, and reminding members of the workforce not to include PHI in file names or email metadata.
Organizations unsure about what Microsoft plan is most suitable for their needs or how to train members of the workforce to use Microsoft products and services compliantly are advised to seek advice from a compliance professional. Organizations requiring further help to make Microsoft 365 HIPAA compliant are advised to reach out to Microsoft support.