There can be nothing more sacrosanct for businesses than their client data, perhaps more so for businesses in the healthcare sector. Security breaches and data leaks can have consequences far beyond hefty fines. Businesses in the healthcare industry have to adhere to stringent compliance mandates like the Health Insurance Portability and Accountability Act (HIPAA) which regulates the way medical information is handled. This covers the means they use for storing and communicating electronically protected health information (ePHI). Microsoft realizes these challenges and has developed tools that are either a part of its offerings or can be optionally added. Is Office 365 HIPAA compliant? We’ll find out in due course.
What is HIPAA? What Does HIPAA Cover?
As per the healthcare laws of the US, HIPAA defines how individually identifiable health information can be used, maintained and transmitted. Stakeholders like hospitals, insurance providers, doctors, and other such entities who have access to patient data are covered under its ambit. This also includes service providers called Business Associates through whom information is typically routed. Consequently, third parties like data storage providers, consultants, IT services, application developers and other vendors are also liable to implement measures to fulfill HIPAA compliance. This implies, healthcare companies using Microsoft Office 365 will have to ensure that the products in the suite they are using are HIPAA Rules compliant.
Relevant HIPAA Rules
HIPAA legislation covers several aspects of healthcare information. However, with regards to the electronic transmission of protected data, there are some pertinent rules of interest the gist of which we will sum up in the coming section. These rules are intended to prevent fraud and data abuse. The rules can be broadly segregated into three different categories spanning across privacy, security, and breach notification.
The privacy rule details the type of information that has to be protected as per HIPAA guidelines. This can include patient details like name, age, social security number, address, contact details, health, treatment details, and payments.
The security rule sets guidelines for storing and communicating patient data in both physical and electronic formats.
HIPAA breach notification rule mandates applicable entities to notify victims if their protected information has been accessed or used without authorization.
Microsoft Features for HIPAA Compliance
Microsoft has developed several technologies that are either built-in or offered as optional enhancements with their products. While these privacy and security tools are not specifically built for the healthcare industry, they help businesses meet the standards set by HIPAA.
Some of the notable tools that are a part of Microsoft’s repertoire for providing advanced safety and security features are stated below.
- Office 365 Advance Threat Protection (ATP)- Protects mailboxes from harmful links.
- Azure AD Identity Protection- Detects and preempts identity-related threats.
- Azure Security Center- Protects data stored in data centers, cloud and on client premises.
- Azure Advance Threat Protection- Detects vulnerabilities and enables investigation using machine learning to identify threats and attacks resulting from suspicious user behavior and unusual activities.
- Log Analytics workspaces- Create and maintain a customized repository for storing data emanating from different sources.
- Mobile Application Management, Windows Information Protection, and Mobile Device Management – Help organizations monitor and manage devices and applications to protect confidential data.
- Cloud App Security (CAS)- Helps organizations protect their cloud applications better.
- Microsoft Defender Advanced Threat Protection- Designed for enterprises to provide comprehensive protection against a range of threats.
How Office 365 HIPAA Compliance is Achieved?
A business in the healthcare industry using Office 365 takes the first step to achieve HIPAA compliance by entering into a Business Associate Agreement (BAA) with Microsoft. This agreement is to protect patient data from being used for advertising purposes or being voluntarily disclosed to other parties without consent. Microsoft will have to enforce more stringent control over such data.
The next step is to quantify the prevailing degree of security. Depending on the existing security measures, businesses will first have to implement measures to log activities, add security measures across devices and applications, secure user identities, intranet sites, and files, and establish data governance policies to protect data integrity.
Consequently, the business should take steps to improve compliance. This could entail performing penetration tests, implementing multi-factor authentication and user privileges, setting up Compliance Manager and regularly updating protection policies.
Is Office 365 HIPAA Compliant?
The answer to that depends on the version you purchase. If it’s not, can it be made HIPAA compliant? Absolutely.
We have seen the range of security tools and measures that Microsoft offers to enhance data protection. These can be configured to meet the stringent HIPAA standards. To sum up, some of the measures to make Office 365 HIPAA compliant are as below:
- Implement end-to-end encryption
- Create archives and audit logs
- Add multi-factor authentication
- Set up access control mechanisms
- Enable remote data wipes
While some of these capabilities are available with the vanilla version of Office 365, healthcare businesses need more advanced features to fully comply with HIPAA standards. Meeting these compliance challenges is as much about configuring the available services correctly as it is about purchasing the appropriate Office 365 package. While almost all the features are included in Office 365 Enterprise E5, they are available as add-ons with Office 365 Enterprise E3. However, while most of the features are available as add-ons with Office 365 Business, Business Essentials, and Business Premium, some of them are missing in the base version making HIPAA compliance challenging prospect.
Office 365 is, without a doubt, one of the most convenient and widely used packages of applications and services with some of the most advanced security features. Yet, it needs to be configured properly to protect ePHI for HIPAA compliance. Apps4Rent is among a few service providers who can configure Office 365 to meet HIPAA compliance.