Is Office365 HIPAA Compliant?

Office365 includes Microsoft's (Outlook) email service, packaged alongside its calendar, task management program and contacts manager. As the standard email service for many Windows users, it is only natural that those in healthcare often want to use it for their communications.

While Office365 is convenient, affordable and has some excellent security features, companies that process PHI should consider HIPAA before they dive in and use it. If your company processes PHI and outsources its email, you need to find a provider that meets the regulations. You will also need to configure it properly to ensure compliance with HIPAA.

Is Outlook with Office365 HIPAA-compliant?

The short answer is no, but it can be. While Office365 can become HIPAA compliant, using it "as purchased," even with a signed BAA, Office365 leaves your email sending non-compliant.

To achieve compliance, you first need a signed Business Associate Agreement with Microsoft. Then, there are two roads you can follow:

  1. Microsoft: Buy "Office Message Encryption" from Microsoft and then set it up carefully. This is a service that is difficult and costly to configure and use properly and does not provide much flexibility.
  2. Third-Party: But "Smart Hosting" from a third-party HIPAA-compliant email specialist (such as LuxSci). Configure your Office365 email to have your outbound email pass through LuxSci for encryption (and perhaps archival too) before being sent off to the final recipients. This is very easy to configure (4 steps) and provides you with a great deal of flexibility in how and when email will be encrypted.

To use LuxSci or smart host encryption of your Office 365 outbound email, you would:

  1. Sign up for a HIPAA-compliant Email Smart Hosting Account with LuxSci.
  2. Order services for the domain(s) you have set up in Office365 and for the same number of users that you have in Outlook 365
  3. Follow a simple 3-step setup process. Watch our step-by-step video setup tutorial.
    1. Setup your LuxSci account so that all of your users and domains are created. There needs to be a one-to-one relationship between users in LuxSci and users in Office365, for tracking, auditing, and authentication purposes.
    2. Flip a switch enabling your LuxSci account to accept email relayed from Office365
    3. Configure Office365 to send your outbound email to LuxSci.
  4. Done!

Office365, Email and HIPAA

The use of PHI is regulated under HIPAA to ensure that proper safeguards are taken to protect patient data. These rules don't always give strict specifications of what security and privacy measures are necessary, which can make HIPAA compliance a complicated prospect.

The Privacy and Security rules are purposely written this way to give businesses the freedom to come up with effective solutions for each individual situation. The regulators know that the appropriate safeguards vary from company to company, so hard and fast rules would not be effective or practical in many circumstances.

Some of the key aspects of HIPAA that affect email are described below. For more details, see HIPAA-compliant email basics.

How Does Office365 Stack Up When It Comes to Security?

Office365 was designed to be compatible with a range of different regulations, so it can be configured to meet the security requirements defined in HIPAA.

Microsoft offers multi-factor authentication for their users, which can help to prevent unauthorized access to your company's email. When someone tries to login to their account, they will need to acknowledge an app notification, phone call or text to their smart phone, in addition to entering their username and password. This means that an attacker would need to be in possession of the user's smart phone as well as their login details.

Microsoft also offers encryption for data in transit and at rest. They can encrypt data whenever it is outside of their facilities, however packet and message headers are not encrypted. Because of this, you need to train your employees not to put any PHI in the headers, otherwise you will be in breach of HIPAA.

Microsoft Office365 and Microsoft Dynamics CRM include features that can assist you with monitoring and auditing access. They can track when data has been accessed, whether it is by your own staff or by Microsoft personnel. It is important to review these reports frequently so that you can monitor for any suspicious activity.

Security Measures

While HIPAA doesn't state the exact measures that need to be taken, it stipulates that adequate safeguards need to be in place. Companies should conduct a risk analysis to determine their biggest threats. This gives them a starting point to implement the policy, technology and other defensive measures that will protect their PHI.

When it comes to HIPAA-compliant email, the most important aspects are protecting the integrity, privacy, and authenticity of the data. There must be procedures in place to verify that the person trying to access the PHI is who they claim they are. There are a range of solutions for this, but one of the most effective is access control with a user name and password, combined with two-factor authentication.

HIPAA also requires technical measures that prevent unauthorized access to PHI. Again, there are different ways to do this, but one of the most effective is to use TLS-based encryption when PHI is being transmitted. Sensitive patient data should also be encrypted in storage.

The regulations also state that there need to be mechanisms in place to record and monitor activity related to PHI. This can be done by auditing logins, login attempts, password changes and other access details. These logs should include the time and date, as well as the IP address of the user.

Email Encryption

The final step to making Outlook 365 compliant is to establish procedures that safeguard PHI. These include reviewing who accesses user accounts, whether anyone changes passwords, or if someone adds themselves to shared resources. Perhaps the biggest gap that needs to be filled is the requirement for email encryption services to protect messages sent from Outlook 365. Microsoft offers "Office 365 Message Encryption" which must be purchased separately as part of "Microsoft Azure Rights Management". This service costs $2.00/user/month above-and-beyond your regular Microsoft Office 365 licenses (which start at $8.25/user/month).

it is just as easy to use third-party HIPAA-compliant email service to secure your Outlook 365 outbound email. Indeed, most third-party encryption services provide many more options and much more flexibility with respect to how your messages are encrypted, compared to Office 365 Message Encryption. Additionally, Office 365 Message Encryption only encrypts outbound email when your users explicitly request it. This form of "opt in" email encryption is very risky in from a compliance point of view, as you are liable for any inadvertently breaches of disclosures of sensitive information that result from employee mistakes or lapses. See Opt-in email encryption is too risky for HIPAA compliance. We highly recommend choosing a solution, like LuxSci's, that flips this concept on its head, encrypting all messages unless told otherwise. This is much safer, from a corporate risk point of view, as mistakes or lapses are not likely to cause a breach.

  • Without "Office Message Encryption" or a third party relay, Microsoft only provides Opportunistic TLS for outbound email. This is not sufficient for HIPAA compliance.
  • With Office Message Encryption (OME):
    • Secure messages between Office365 OME users are delivered via TLS
    • Secure messages to everyone else are delivered via portal pickup
    • To configure TLS-Only delivery with special connectors. These must be configured manually for every recipient domain.
    • As most secure messages use portal pickup, this can be cumbersome for recipients.
    • Messages are never encrypted unless you setup specific mail flow rules based on keywords and those messages match those rules. This is very risky as there are many scenarios where messages that should be encrypted will not be.
    • There is no reporting on how messages were encrypted or on their delivery status.
  • With LuxSci for messages encryption:
    • All messages are encrypted by default. This reduces risk
    • You can setup rules to allow people to explicitly "opt out" of encryption as needed.
    • You can choose, based on your business needs, to:
      • Use TLS automatically and dynamically with all recipients that support it, falling back to portal pickup only when there is no choice, or
      • Use portal pickup in general and TLS with specific recipients.
      • LuxSci provides lots of reporting on how messages were encrypted or on their delivery status.
      • LuxSci also offers dedicated servers for increased security through isolation.
      • Configuration is easy with less risk of non-compliance

The Business Associate Agreement (BAA)

Under HIPAA, every party that touches PHI is responsible for keeping it safe. Because of this, covered entities must sign a BAA with any other organization that processes their PHI.

If your company outsources its email, you will need to sign an agreement with the provider to ensure that they are also taking adequate measures to protect the PHI. The BAA sets out how your company's PHI can be processed by the business associate. It also specifies the policies and safeguards that will be put in place to protect it.

Can You Sign a BAA for Office365?

Microsoft will sign a BAA with your company, but this alone does not make your email HIPAA compliant. Your company will still have its own responsibilities to meet if it wants to stay within the regulations. These include properly defining the way that Outlook configured, as well as how it is used.

Thankfully, Microsoft gives companies some guidance on how they can make Outlook 365 HIPAA-compliant. Their HIPAA/HITECH Implementation Guidance document even features a checklist at the end which tells companies what they need to do.

The steps include reviewing the BAA to determine whether Microsoft meets the privacy and security requirements of your company. If you deem it acceptable, you can sign the agreement.

From there, you need to orchestrate an effective access control system. Microsoft offers many tools to assist you, such as the Exchange Administrator Access Tracking and Microsoft Dynamics CRM Online.

To make sure that the PHI is being treated appropriately, Microsoft also recommends training for both administrators and users. Administrators need to be aware that they cannot allow access to PHI when they are troubleshooting, nor can they put it in the directory, address book or global address list information.

Users need to be taught that PHI cannot be placed in headers, public SharePoint sites or file names, because these practices expose it. They also need to be aware that they can only email PHI to those that have the right to view it.

Email Archival

Email archival is required for HIPAA compliance; however, Office365 does not come with archival unless you purchase Microsoft's separate "Exchange Online Archiving" service. Alternately, you can use a third-party email archival service which specializes in HIPAA compliance. There is a significant benefit, from a business continuity point of view, from using a company other than Office365 for your email archival.

Making the Most of Outlook 365

While Outlook 365 can be configured and used within HIPAA regulations, you can have an even better experience by combining it with LuxSci's smart host. Our smart hosting connects Outlook 365 to one of LuxSci's outbound servers, relaying your email through us before it reaches the internet.

This can give your email several key advantages. Smart hosting with LuxSci allows email archival, outbound email encryption, data loss prevention, and better sending IP-reputation. It is also super easy to configure them together. You just need a LuxSci email account for the same number of users as you have for Outlook.

All you have to do is enable smart hosting and your outbound email will flow through our servers. It's easy and offers a range of features that help with your security and HIPAA compliance. If you are sick of HIPAA-headaches, LuxSci can help you ease the burden.


White pagaer: Email encryption for Microsoft 365

Protecting sensitive data with LuxSci's Secure Connector

Created by Erik Kangas, PhD

Get the White Paper

LuxSci has been a pleasure to work with. The level of support we've received from them has been top-notch. From the smallest user issue to complex custom work, LuxSci has delivered service far above what I expected. Best of all, uptime with LuxSci has been 100%."

David Cayem . DelphiForums