September 12th, 2018

Is Microsoft Email HIPAA Compliant?

To be HIPAA compliant a healthcare organization needs to ensure that all parties that have access to their data need to sign a Business Associate Agreement (BAA). The BAA helps to protect data security by requiring all parties involved to only share and use data within the HIPAA guidelines. As a healthcare organization or a health insurance company, if you have a third party email services provider you will need the provider to sign a BAA.

There are several other guidelines in place that are required for an email provider to be HIPAA compliant; companies that use these services need to ensure that the guidelines are followed. Any company that doesn’t keep track of its service providers risks being in violation of HIPAA.

is Microsoft email HIPAA compliant

Is Microsoft Outlook Online safe to use for HIPAA?

We first have to look at which version of Microsoft Outlook is being used. is not HIPAA compliant. The free service is not recommended for healthcare organizations and health insurance providers as it does not meet the HIPAA guidelines.

But the online version of Outlook that is part of some Microsoft Office 365 plans can be made HIPAA compliant. Please note that not all Office 365 packages are HIPAA compliant, so you will need to verify that you are purchasing an appropriate package before you invest in the service.

It is possible to obtain a BAA from Microsoft for Office 365 Outlook to help make the service HIPAA compliant. However, this is only the first step. Office 365 Outlook requires a few more layers of security to be more compliant with HIPAA rules.

While it is commonly said that no email service provider or cloud storage service can be 100% HIPAA compliant, it is still important to try and maintain optimal security levels as much as possible. Any errors that occur need to be corrected as soon as possible.

The main areas where email data can be hacked are:

  • The sender’s machine.
  • The sender’s email service servers.
  • The receiver’s email service servers.
  • The receiver’s machine.

To be HIPAA compliant Office 365 Outlook has to ensure the protection of data at the sender’s side; it only helps to also if you can proactively secure email on the recipient’s side.

How can Microsoft Office 365 Outlook be made HIPAA compliant?

There are two ways Office 365 Outlook can be made HIPAA compliant. To ensure that there are no security breaches anywhere along the chain of message sending Office Message Encryption can be bought from Microsoft. The encryption then needs to be configured on your systems before it can be used.

There are a few drawbacks with using Office Message Encryption. The person configuring the encryption software needs to be familiar with how it works, as the process is not easy. It is also costly to purchase the system and it might not always meet a company’s specifications or security needs.

The second way to make Outlook HIPAA compliant is to purchase a third-party service to handle the email encryption for you.

Third-party encryption services

When you use a third-party email encryption service, you configure Office 365 outlook to securely send all outbound email from Microsoft to the third party (using TLS — Transport layer Security — to secure the message transmission) for encryption and subsequent delivery to the recipients.  Third parties often provide more flexible and/or more secure email encryption options compared to Office Message Encryption.

How does LuxSci work with Office 365 Outlook?

The main advantage of using an encryption service like LuxSci is that by default all messages are encrypted, unless otherwise stated, and the encryption services are extremely flexible — they can be tweaked to meet your specific business needs.  LuxSci also provides dedicated server environments, white label branding, and other advanced features not offered by Microsoft.

To summarize

Microsoft has two products called Outlook that can confuse users. is a free email service and does not sign a BAA which is required to be HIPAA compliant. This system is not advisable for use where PHI is involved. Microsoft Email using is not HIPAA compliant.

The second product is an email service that is part of the Microsoft Office 365 suite. This is a paid service and can be HIPAA compliant. However just signing the BAA does not do it. The organization using the service needs to ensure that security measures are put in place to protect PHI; i.e., email encryption needs to be purchased and properly configured.  The organization’s staff also needs to be trained on the proper use of the encryption system.

Hiring a third party company like LuxSci helps organizations meet the security requirements of HIPAA. LuxSci encrypts outgoing email to ensure that it is secure. Using Office 365 Outlook in combination with LuxSci’s services is the best option for a company that is invested in using Microsoft products to have a HIPAA-compliant email service.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Interested in more information about “smart hosting” your email from Microsoft to LuxSci for HIPAA compliance? Contact Us

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.