LuxSci

Is Outlook 365 HIPAA Compliant?

Outlook 365 is Microsoft's email service, packaged alongside its calendar, task management program and contacts manager. As the standard email service for many Windows users, it is only natural that those in the health niche would also want to use it for their communications.

While Outlook 365 is convenient, affordable and has some excellent security features, companies that process PHI should consider HIPAA before they dive in and use it. If your company processes PHI and outsources its email, you will need to find a provider that meets the regulations. You will also need to configure it to the correct standards and ensure that it is used in compliance with HIPAA.

So, is Outlook 365 HIPAA-compliant?

The short answer is no, but it can be. While Microsoft's Outlook 365 can become HIPAA compliant, using it "as is" does not make your email compliant on its own. Thankfully, the process isn't too difficult and Microsoft provides some guidance on what you need to do to meet the standards. Among other things, involves adding email encryption services to Outlook 365. This can be done using Microsoft's own (limited) encryption and archival services, or by purchasing outbound HIPAA-compliant email encryption (and email archival) through a specialized third-party, such as LuxSci, and configuring Office 365 such that all of your outbound email messages are relayed through LuxSci for encryption before being sent off to their recipients.

To use LuxSci or smart host encryption of your your Office 365 outbound email, you would:

  1. Sign up for a HIPAA-compliant Email Smart Hosting Account with LuxSci.
  2. Order services for the domain(s) you have set up in Outlook 365 and for the same number of users that you have in Outlook 365
  3. Setup your LuxSci account so that all of your users and domains are created. There needs to be a one-to-one relationship between users in LuxSci and users in Office 365, for tracking, auditing, and authentication purposes.
  4. Flip a switch enabling your LuxSci account to accept email relayed from Office 365
  5. Flip a switch in Office 365 to send your outbound email to LuxSci.
  6. Done!

Try LuxSci: 30-day money-back guarantee.

How Is Email Regulated Under HIPAA?

The use of PHI is regulated under HIPAA to ensure that proper safeguards are taken to protect patient data. These rules don't always give strict specifications of what security and privacy measures are necessary, which can make HIPAA compliance a complicated prospect.

The Privacy and Security rules are purposely written this way to give businesses the freedom to come up with effective solutions for each individual situation. The regulators know that the appropriate safeguards vary from company to company, so hard and fast rules would not be effective or practical in many circumstances.

Some of the key aspects of HIPAA that affect email are described below. For more details, see HIPAA-compliant email basics.

Security Measures

While HIPAA doesn't state the exact measures that need to be taken, it stipulates that adequate safeguards need to be in place. Companies should conduct a risk analysis to determine their biggest threats. This gives them a starting point to implement the policy, technology and other defensive measures that will protect their PHI.

When it comes to HIPAA-compliant email, the most important aspects are protecting the integrity, privacy, and authenticity of the data. There must be procedures in place to verify that the person trying to access the PHI is who they claim they are. There are a range of solutions for this, but one of the most effective is access control with a user name and password, combined with two-factor authentication.

HIPAA also requires technical measures that prevent unauthorized access to PHI. Again, there are different ways to do this, but one of the most effective is to use TLS-based encryption when PHI is being transmitted. Sensitive patient data should also be encrypted in storage.

The regulations also state that there need to be mechanisms in place to record and monitor activity related to PHI. This can be done by auditing logins, login attempts, password changes and other access details. These logs should include the time and date, as well as the IP address of the user.

How Does Outlook 365 Stack Up When It Comes to Security?

Outlook 365 was designed to be compatible with a range of different regulations, so it can be configured to meet the security requirements defined in HIPAA.

Microsoft offers multi-factor authentication for their users, which can help to prevent unauthorized access to your company's email. When someone tries to login to their account, they will need to acknowledge an app notification, phone call or text to their smart phone, in addition to entering their username and password. This means that an attacker would need to be in possession of the user's smart phone as well as their login details.

Microsoft also offers encryption for data in transit and at rest. They can encrypt data whenever it is outside of their facilities, however packet and message headers are not encrypted. Because of this, you need to train your employees not to put any PHI in the headers, otherwise you will be in breach of HIPAA.

Microsoft Office 365 and Microsoft Dynamics CRM include features that can assist you with monitoring and auditing access. They can track when data has been accessed, whether it is by your own staff or by Microsoft personnel. It is important to review these reports frequently so that you can monitor for any suspicious activity.

The Business Associate Agreement (BAA)

Under HIPAA, every party that touches PHI is responsible for keeping it safe. Because of this, covered entities must sign a BAA with any other organization that processes their PHI.

If your company outsources its email, you will need to sign an agreement with the provider to ensure that they are also taking adequate measures to protect the PHI. The BAA sets out how your company's PHI can be processed by the business associate. It also specifies the policies and safeguards that will be put in place to protect it.

Can You Sign a BAA for Outlook 365?

Microsoft will sign a BAA with your company, but this alone does not make your email HIPAA compliant. Your company will still have its own responsibilities to meet if it wants to stay within the regulations. These include properly defining the way that Outlook 365 is configured, as well as how it is used.

Thankfully, Microsoft gives companies some guidance on how they can make Outlook 365 HIPAA-compliant. Their HIPAA/HITECH Implementation Guidance document even features a checklist at the end which tells companies what they need to do.

The steps include reviewing the BAA to determine whether Microsoft meets the privacy and security requirements of your company. If you deem it acceptable, you can sign the agreement.

From there, you need to orchestrate an effective access control system. Microsoft offers many tools to assist you, such as the Exchange Administrator Access Tracking and Microsoft Dynamics CRM Online.

To make sure that the PHI is being treated appropriately, Microsoft also recommends training for both administrators and users. Administrators need to be aware that they cannot allow access to PHI when they are troubleshooting, nor can they put it in the directory, address book or global address list information.

Users need to be taught that PHI cannot be placed in headers, public SharePoint sites or file names, because these practices expose it. They also need to be aware that they can only email PHI to those that have the right to view it.

Email Archival

Email archival is required for HIPAA compliance; however, Outlook 365 does not come with archival unless you purchase Microsoft's "Exchange Online Archiving" service for $3.00/user/month extra. Alternately, you can use a third-party email archival service which specializes in HIPAA compliance. There is a significant benefit, from a business continuity point of view, from using a company other than your email service provider for your email archival services.

Email Encryption

The final step to making Outlook 365 compliant is to establish procedures that safeguard PHI. These include reviewing who accesses user accounts, whether anyone changes passwords, or if someone adds themselves to shared resources. Perhaps the biggest gap that needs to be filled is the requirement for email encryption services to protect messages sent from Outlook 365. Microsoft offers "Office 365 Message Encryption" which must be purchased separately as part of "Microsoft Azure Rights Management". This service costs $2.00/user/month above-and-beyond your regular Microsoft Office 365 licenses (which start at $8.25/user/month).

it is just as easy to use third-party HIPAA-compliant email service to secure your Outlook 365 outbound email. Indeed, most third-party encryption services provide many more options and much more flexibility with respect to how your messages are encrypted, compared to Office 365 Message Encryption. Additionally, Office 365 Message Encryption only encrypts outbound email when your users explicitly request it. This form of "opt in" email encryption is very risky in from a compliance point of view, as you are liable for any inadvertently breaches of disclosures of sensitive information that result from employee mistakes or lapses. See Opt-in email encryption is too risky for HIPAA compliance. We highly recommend choosing a solution, like LuxSci's, that flips this concept on its head, encrypting all messages unless told otherwise. This is much safer, from a corporate risk point of view, as mistakes or lapses are not likely to cause a breach.

Making the Most of Outlook 365

While Outlook 365 can be configured and used within HIPAA regulations, you can have an even better experience by combining it with LuxSci's Smart host. Our smart hosting connects Outlook 365 to one of LuxSci's outbound servers, relaying your email through us before it reaches the internet.

This can give your email several key advantages. Smart hosting with LuxSci allows email archival, outbound email encryption, data loss prevention, and better sending IP-reputation. It is also super easy to configure them together. You just need a LuxSci email account for the same number of users as you have for Outlook 365.

All you have to do is enable smart hosting and your outbound email will flow through our servers. It's easy and offers a range of features that help with your security and HIPAA compliance. If you are sick of HIPAA-headaches, LuxSci can help you ease the burden.


Got it all figured out?

New accounts ready in 1 hour*

Account term is month-to-month

Free 30-minute training call included

Welcome to LuxSci!

*for non-dedicated-server orders placed between 9am and 10pm Eastern Time, USA. Provisioning can be delayed due to issues validating orders.

eBook — HIPAA-compliant Email Basics

Safeguarding your healthcare practice and protecting patient privacy

Book 1 in the LuxSci Internet Security Series.

Created by Erik Kangas, PhD

Get the HIPAA eBook

What People Say About LuxSci