Office365 includes Microsoft's (Outlook) email service, packaged alongside its calendar, task management program and contacts manager. As the standard email service for many Windows users, it is only natural that those in healthcare often want to use it for their communications.
While Office365 is convenient, affordable and has some excellent security features, companies that process PHI should consider HIPAA before they dive in and use it. If your company processes PHI and outsources its email, you need to find a provider that meets the regulations. You will also need to configure it properly to ensure compliance with HIPAA.
The short answer is no, but it can be. While Office365 can become HIPAA compliant, using it "as purchased," even with a signed BAA, Office365 leaves your email sending non-compliant.
To achieve compliance, you first need a signed Business Associate Agreement with Microsoft. Then, there are two roads you can follow:
To use LuxSci or smart host encryption of your Office 365 outbound email, you would:
The use of PHI is regulated under HIPAA to ensure that proper safeguards are taken to protect patient data. These rules don't always give strict specifications of what security and privacy measures are necessary, which can make HIPAA compliance a complicated prospect.
The Privacy and Security rules are purposely written this way to give businesses the freedom to come up with effective solutions for each individual situation. The regulators know that the appropriate safeguards vary from company to company, so hard and fast rules would not be effective or practical in many circumstances.
Some of the key aspects of HIPAA that affect email are described below. For more details, see HIPAA-compliant email basics.
Office365 was designed to be compatible with a range of different regulations, so it can be configured to meet the security requirements defined in HIPAA.
Microsoft offers multi-factor authentication for their users, which can help to prevent unauthorized access to your company's email. When someone tries to login to their account, they will need to acknowledge an app notification, phone call or text to their smart phone, in addition to entering their username and password. This means that an attacker would need to be in possession of the user's smart phone as well as their login details.
Microsoft also offers encryption for data in transit and at rest. They can encrypt data whenever it is outside of their facilities, however packet and message headers are not encrypted. Because of this, you need to train your employees not to put any PHI in the headers, otherwise you will be in breach of HIPAA.
Microsoft Office365 and Microsoft Dynamics CRM include features that can assist you with monitoring and auditing access. They can track when data has been accessed, whether it is by your own staff or by Microsoft personnel. It is important to review these reports frequently so that you can monitor for any suspicious activity.
While HIPAA doesn't state the exact measures that need to be taken, it stipulates that adequate safeguards need to be in place. Companies should conduct a risk analysis to determine their biggest threats. This gives them a starting point to implement the policy, technology and other defensive measures that will protect their PHI.
When it comes to HIPAA-compliant email, the most important aspects are protecting the integrity, privacy, and authenticity of the data. There must be procedures in place to verify that the person trying to access the PHI is who they claim they are. There are a range of solutions for this, but one of the most effective is access control with a user name and password, combined with two-factor authentication.
HIPAA also requires technical measures that prevent unauthorized access to PHI. Again, there are different ways to do this, but one of the most effective is to use TLS-based encryption when PHI is being transmitted. Sensitive patient data should also be encrypted in storage.
The regulations also state that there need to be mechanisms in place to record and monitor activity related to PHI. This can be done by auditing logins, login attempts, password changes and other access details. These logs should include the time and date, as well as the IP address of the user.
The final step to making Outlook 365 compliant is to establish procedures that safeguard PHI. These include reviewing who accesses user accounts, whether anyone changes passwords, or if someone adds themselves to shared resources. Perhaps the biggest gap that needs to be filled is the requirement for email encryption services to protect messages sent from Outlook 365. Microsoft offers "Office 365 Message Encryption" which must be purchased separately as part of "Microsoft Azure Rights Management". This service costs $2.00/user/month above-and-beyond your regular Microsoft Office 365 licenses (which start at $8.25/user/month).
it is just as easy to use third-party HIPAA-compliant email service to secure your Outlook 365 outbound email. Indeed, most third-party encryption services provide many more options and much more flexibility with respect to how your messages are encrypted, compared to Office 365 Message Encryption. Additionally, Office 365 Message Encryption only encrypts outbound email when your users explicitly request it. This form of "opt in" email encryption is very risky in from a compliance point of view, as you are liable for any inadvertently breaches of disclosures of sensitive information that result from employee mistakes or lapses. See Opt-in email encryption is too risky for HIPAA compliance. We highly recommend choosing a solution, like LuxSci's, that flips this concept on its head, encrypting all messages unless told otherwise. This is much safer, from a corporate risk point of view, as mistakes or lapses are not likely to cause a breach.
Under HIPAA, every party that touches PHI is responsible for keeping it safe. Because of this, covered entities must sign a BAA with any other organization that processes their PHI.
If your company outsources its email, you will need to sign an agreement with the provider to ensure that they are also taking adequate measures to protect the PHI. The BAA sets out how your company's PHI can be processed by the business associate. It also specifies the policies and safeguards that will be put in place to protect it.
Microsoft will sign a BAA with your company, but this alone does not make your email HIPAA compliant. Your company will still have its own responsibilities to meet if it wants to stay within the regulations. These include properly defining the way that Outlook configured, as well as how it is used.
Thankfully, Microsoft gives companies some guidance on how they can make Outlook 365 HIPAA-compliant. Their HIPAA/HITECH Implementation Guidance document even features a checklist at the end which tells companies what they need to do.
The steps include reviewing the BAA to determine whether Microsoft meets the privacy and security requirements of your company. If you deem it acceptable, you can sign the agreement.
From there, you need to orchestrate an effective access control system. Microsoft offers many tools to assist you, such as the Exchange Administrator Access Tracking and Microsoft Dynamics CRM Online.
To make sure that the PHI is being treated appropriately, Microsoft also recommends training for both administrators and users. Administrators need to be aware that they cannot allow access to PHI when they are troubleshooting, nor can they put it in the directory, address book or global address list information.
Users need to be taught that PHI cannot be placed in headers, public SharePoint sites or file names, because these practices expose it. They also need to be aware that they can only email PHI to those that have the right to view it.
Email archival is required for HIPAA compliance; however, Office365 does not come with archival unless you purchase Microsoft's separate "Exchange Online Archiving" service. Alternately, you can use a third-party email archival service which specializes in HIPAA compliance. There is a significant benefit, from a business continuity point of view, from using a company other than Office365 for your email archival.
While Outlook 365 can be configured and used within HIPAA regulations, you can have an even better experience by combining it with LuxSci's smart host. Our smart hosting connects Outlook 365 to one of LuxSci's outbound servers, relaying your email through us before it reaches the internet.
This can give your email several key advantages. Smart hosting with LuxSci allows email archival, outbound email encryption, data loss prevention, and better sending IP-reputation. It is also super easy to configure them together. You just need a LuxSci email account for the same number of users as you have for Outlook.
All you have to do is enable smart hosting and your outbound email will flow through our servers. It's easy and offers a range of features that help with your security and HIPAA compliance. If you are sick of HIPAA-headaches, LuxSci can help you ease the burden.
Created by Erik Kangas, PhD
Get the White Paper