Microsoft Outlook:  Is It HIPAA Compliant?  

Discover how to use Microsoft Outlook to ensure HIPAA compliance and avoid costly fines. It’s a complex process, and you need to know the ins and outs.

Is Microsoft Outlook HIPAA compliant?  The straightforward answer is “no.”  Companies do not achieve HIPAA compliance by using it on its own.  Steps must be taken to ensure compliance with HIPPA and HITECH’s Act.  Keep in mind that there isn’t any email platforms or software that can be fully compliant.  It’s more about how the technology is used.  It also depends on which version of Outlook is used.  In general, for an email service to be HIPPA compliant, it must have security features to ensure that the interception of sensitive data cannot take place.  In addition, platform providers must sign a Business Associate Agreement (BAA) with HIPPA-covered organizations.  This agreement covers security, privacy, and breach notification regulations. While Microsoft has already taken action to make its services suitable for healthcare providers by using a BAA, it doesn’t cover all of the company’s services and software.

A Close Look at Outlook and Office 365

The Outlook email platform and Office 365 are two different products.  This email platform should not be used by healthcare entities.  Office 365 is appropriate for healthcare organizations and has the BAA.  However, it must be the right version – Enterprise E or E5.  These versions can be HIPAA compliant because they have the ability to wipe data on mobile devices, have data loss prevention and offer encryption.  At the same time, these versions must incorporate :

• Maintained audit logs
• Configured properly
• Sign on and factor authorization enabled
• Data backups
• Employee training

It is these features and controls that make it HIPAA compliant.  It’s important to note that signing a BAA doesn’t equal HIPAA compliance.  According to Microsoft, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

What Is HIPAA and the HITECH Act

Both of these acts are US federal laws.  These acts are designed for healthcare organizations and companies, such as hospitals and physician offices.  They focus on the requirements for the safeguarding and disclosure of individual health data.  Plus, they also require signed BAAs, which focus on security and patient privacy.

Healthcare organizations can use the Exchange Online Protection (EOP) to configure Outlook 365.  It’s a cloud-based email filtering service that wards against malware and spam.  There are also additional features to safeguard against messaging-policy violations.  All around, being HIPAA compliant can be achieved with the proper configuration.

Healthcare organizations can create HIPAA DLP policies right in Office 365.  “The default HIPAA rules scan emails and use ‘U.S. Social Security Number (SSN)’ or ‘Drug Enforcement Agency (DEA) Number’ as triggers.  Additionally, U.S. Passport Number, U.S. Bank Account Number, U.S. Driver’s License Number, U.S. Individual Taxpayer Identification Number (ITIN) can be added to the checklist from available templates.”

Ensuring HIPAA compliance requires proactive strategies and using the right technology.  HIPAA violations and compliance issues are costly.  The cost of not preventing these incidents can tally up to $1,000 for each breach.  As more and more healthcare organizations are electronically transmitting patient records to medical facilities and specialists, it’s important to ensure that all of that information is secure.

HIPAA Compliance and the Cloud:  It’s Complex

Today, more and more healthcare organizations are moving their electronic communications to the cloud to save money.  This transition allows for a cutback in storage expenses and hardware. At the same time, it expands the scope of HIPPA regulations.  Healthcare organizations must also ensure that their vendors are HIPAA compliant.  This makes it more difficult than ever to maintain compliance.  “When a covered entity enlists a cloud service like Microsoft Office 365, Gmail, or Google Apps for Work for email and file sharing, that entity’s digital information must be stored on and shared across that vendor’s servers.”  Clearly, one can see why it’s so difficult to stay compliant.

Vendors must complete preventative tasks and stay HIPAA compliant also, such as:

• Establishing procedures for a security breach
• Implementing procedures for audit logs, access reports, and security tracking
• Assigning unique indicators for identifying employees
• Training employees

Tips for Staying HIPAA Compliant

It’s always smart to get a HIPAA compliance scan once a year.  This type of scan is designed to pick up on everything. You also need to get a domain.  It’s centrally managed and included security features.  Add encryption to all of your mobile devices.  It’s just one more strategy to keep your data safe and secure.  Manage passwords and automatic log off.  It’s the easiest way to meet HIPAA standards.  Keep in mind that HIPAA standards also require a business-level email with end-to-end security.  Use a business-grade firewall.  These firewalls are equipped with extra security features to ward off a security attack.  In addition, use an outsourced IT company or have an in-house professional IT staff.  This will help ensure that security updates are well-monitored and consistently implemented.  While becoming and staying HIPAA compliant is a complex process, you can close the security gap with the right steps and strategies. Do it right, and you can avoid those costly and unnecessary fines.  If your healthcare organization needs help with becoming and staying HIPAA compliant, contact a third-party IT management company to learn more about the process.

Author: Aaron White, Date: 17th November 2017