Is Microsoft Office 365 HIPAA Compliant?

What is HIPAA Compliance?

HIPAA is a piece of U.S. legislation that provides data privacy and security regulations to ensure sensitive medical information is protected. The law has gained greater importance in recent years with the increase in the number of health data breaches caused by malware and ransomware attacks on both health insurers and providers.

The purpose of HIPAA is to provide uninterrupted health insurance coverage for workers who lose or change their jobs. By standardizing the electronic transmission of administrative and financial transactions, HIPAA helps reduce both administrative burdens and the cost of health care.

Companies dealing with protected health information (PHI) must have a physical, network, and process security measures in place and adhere to them to ensure HIPAA Compliance. Covered entities are anyone providing treatment, payment, and operations in healthcare, and business associates are anyone who has access to patient information and provides support in treatment, payment, or operations. Both covered entities and business associates must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

Microsoft Office 365 and Business Associate Agreements

Microsoft Office 365 provides a business associate agreement (BAA) as a part of their service, which acts as a contract between Microsoft and all participating HIPAA-covered entities. When a covered entity upload protected health information to Microsoft Office 365, both parties are automatically covered by the BAA. The agreement cannot be modified by the covered entity, so it is important that they carefully review the agreement before choosing to store ePHI in the cloud, to ensure that it is suitable for their needs.

It’s worth noting that Microsoft has subjected itself to audits in accordance with the ISO 27001 standard, to ensure that they have adequate security and privacy controls in place and that they are following the recommendations put forth by the U.S. Department of Health and Human Services (HHS).

Microsoft Purview Compliance Manager Features

The Microsoft Purview Compliance Manager is a suite of tools and dashboards that help you manage your organization’s multi-cloud compliance requirements more easily.

Multi Cloud Regulatory Assessments

Pre-configured templates are included with the Compliance Manager for widely used standards, including HIPAA, that help meet multi-cloud compliance requirements with Microsoft Office 365 or non-Microsoft products or services.

Continuous Control Assessment

Controls are components of an assessment, which specify the actions necessary to comply with a particular standard. Continuous status and automatic credit results are received for technical controls as the Compliance Manager scans your environment and detects system settings.

Continuous Regulatory Updates

Stay current with up-to-date guidance on regulatory, product, or control mapping changes and take appropriate improvement actions to help meet relevant certification requirements.

Common Control Mapping

Scale your compliance program by taking one action and satisfying multiple requirements across several regulations and standards, eliminating the need to update the same control multiple times.

Compliance Score

Each assessment carries a compliance score, which will change as controls are implemented and action items are carried out. The score indicates the extent to which the included controls are adopted, and each control is worth a certain number of points, which are added to the score when it is implemented. A control’s points are an all-or-nothing contribution, there’s no partial credit.

This risk-based score can be filtered for a specific regulation or standard or a specific solution category.

How Does Microsoft Office 365 Handle Security Breaches?

In the event of a security breach, Microsoft will notify all global admins, as well as users who are designated as Privacy Readers, within 30 days. The covered entity (anyone providing treatment, payment, and operations in healthcare) will be required to scan their repositories for signs of compromise, as well as notify their customers and the relevant authorities, as this is not Microsoft’s responsibility.

Microsoft Office 365 Best practices for HIPAA

Microsoft makes it clear that the responsibility for HIPAA compliance lies with the customer. It recommends that all companies establish procedures and policies to ensure that their employees use MICROSOFT OFFICE 365 in a way that supports compliance.

Here are some best practices for you to follow when configuring and setting up Office 365 for HIPAA:

• • Follow the Principle of Least Privilege (PoLP) and try to maintain least privileged access from the beginning of your Office 365 implementation and review user access policies regularly.

Enforcing a PoLP strategy ensures that users can only access the Protected Health Information (PHI) they need to do their jobs. This will help keep PHI from being accessed by unauthorized users.

• Make sure that the products you plan to use are within the scope of Microsoft’s HIPAA Compliance Services.
• Microsoft recommends that customers with a BAA should designate representatives as HIPAA Privacy Readers, which gives them access to Message Center notifications about possible breaches involving electronically protected healthcare information (ePHI).
• Use Microsoft’s end-to-end encryption to protect PHI from data breaches.
• Use Microsoft Information Protection (MIP) to prevent users from accidentally sending PHI to unauthorized users. MIP can read from a whitelist of domains or external users could be given Azure accounts to keep unauthorized users from accessing your PHI.
• Enable multi-factor authentication in Office 365.
• Maintain the Office 365 audit logs in case of a compliance incident.
• Keep backups of data held in Office 365 as per HIPAA regulations.

Is Microsoft Office 365 HIPAA compliant?

Providing that a HIPAA-covered entity has entered into a Business Associate Agreement with Microsoft 365 can be used in a manner compliant with HIPAA Rules.

It is, however, always the responsibility of covered entities to ensure the following:

• Access controls are configured correctly
• Administrator access tracking is turned on
• Microsoft Dynamics CRM Online for supported devices is turned off
• Access control reports are obtained and checked regularly
• All users are given training on how to use Office 365 in a manner compliant with HIPAA Rules.

All appropriate privacy and security controls have been implemented by Microsoft to ensure that Office 365 can be used by HIPAA-covered entities while remaining compliant with HIPAA. However, it is important to note that the use of Office 365 does not guarantee compliance, even if a BAA has been obtained from Microsoft.

Microsoft itself has stated:

“By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.” – Microsoft Corporation

Customers who have an online service agreement with Microsoft do not need to sign up or take any action to sign a HIPAA BAA since the BAA is already offered to all relevant customers in the Online Services Terms.

How Can Lepide Help with HIPAA Compliance for Microsoft Office 365?

Even though Microsoft provides security features and breach notifications to HIPAA-covered entities, they have made it very clear that it is the responsibility of the customer to protect their ePHI. There are third-party solutions, such as the Lepide Data Security Platform, which provide additional features that can help you streamline your HIPAA compliance efforts. These features include;

Data Discovery & Classification

Lepide can help you locate and classify your ePHI across your Microsoft Office 365 environment, as well as other cloud and on-premise environments. Using the built-in pre-defined classification taxonomies, you can classify your ePHI in accordance with the HIPAA guidelines.

Assigning Access Permissions

While Microsoft Office 365 enables you to set up access controls to protect your ePHI, the Lepide Data Security Platform will give you more visibility into how your data is accessed and used, thus making it easier to assign access controls in a more informed manner.

Detecting and Responding to Changes to ePHI

Lepide uses machine learning models to establish a baseline that represents the usage patterns that are typical for each and every user. When user behavior deviates too far from this baseline, an alert is sent to the administrator who can review the changes and take action accordingly. In some cases, an automated response can be initiated. For example, if a large number of files are copied or encrypted within a given time frame, a custom script can disable a user account, stop a specific process, change the security settings, and do any other actions that will minimize the damage caused by an attack. With Lepide, all important changes to your ePHI can be reviewed via a centralized console, and pre-defined HIPAA compliance reports can be generated at the click of a button.