Office 365 HIPAA
HIPAA Compliance Software
Protected health information is an important subject in the technological age. The use of mobile devices such as smart phones and tablets make it more consequential for companies to have protections in place. With the use of online services, like Office 365, HIPAA compliant takes on a new level of complexity. Not only does your business must have regulations and safe practices in place to protect sensitive data, but the online service must have HIPAA compliance software measure as well.
The IT manager can easily be confused by which services have the proper protections in place to help safeguard data. A quick search and hundreds of names appear, all claiming to have the certifications necessary to meet your needs. While many do, not all are as compliant as they pretend to be. So, one wonders is Office 365 HIPAA compliant?
Certified to Protect
Microsoft has robust security features necessary to help protect information stored on their servers. The company offers two-factor security authentication to help keep your accounts secure. In short, Office 365 is HIPAA compliant.
As an Office 365 user, there are some things you must do to take advantage of their compliance standing. All companies using Office 365, must complete a business associate agreement, or BAA, with Microsoft. Once in place, Microsoft, for their part, will do everything in their power to ensure your protected health documents are secure.
Configuring Office 365 Email
After signing a BAA, Microsoft helps you set user emails to comply with HIPAA regulations using the Exchange Online Protection program. Only administrators can configure these settings, as they are reached from the Exchange Admin Center page.
Once on the Admin page, select Compliance management, then select Data Loss Prevention. From here click on the “+” sign and select New DLP policy from the template. Scroll until you find HIPAA and choose template.
By default, Office 365’s HIPAA rules scan messages for Drug Enforcement Agency (DEA) number and Social Security numbers. However, if you need more coverage, you can add:
- US Passport number
- US Bank Account
- US Driver’s License
- US Individual Taxpayer Identification number
To add any of these items to your HIPAA configuration, just select them on the template. You can also customize rules to add fields such as Date of Birth.
Once enacted, Microsoft scans each email for selected sensitive information. In the event of an incident, Microsoft reports it as dictated by their standard notification procedures to the system administrators.
Office 365 HIPAA Compliance Is Not Enough
Using an email service that is HIPAA compliant, like Office 365, is not sufficient. Microsoft is only responsible for maintaining security on their end of the agreement. It is up to business owners to use best practices to protect customer information and comply with HIPAA regulation.
Adding two-factor security authentication is just one step to help protect your files in an HIPAA regulated situation. Using encrypted email when sending data contributes to protecting your customers from potential information loss.
Another step you can take is limit who on your staff can send emails concerning patient information. Limiting who can access and edit client files is also another way to protect sensitive data.
Patient consent forms, which must be signed for health information to be shared with anyone other than the patient, are the responsibility of your office. Microsoft does not take responsibility for this document. It is up to your staff to obtain and retain written permission. Under HIPAA regulation, this agreement is obtainable via email. However, you must inform the patient of any potential risks they may have using email to communicate sensitive data.
Properly managing where protected health information is the most important thing you can do to maintain HIPAA regulation. While mobile devices often come with Office 365, it can only help to increase the risk others gaining access to patient information. Misplaced laptops and cell phones can lead to stolen documents if saved internally.
Having a cloud backup in place can act as a barrier to malicious data loss. Storing information in the cloud keeps it from being stored on the hard drive of a mobile device that is easily lost. However, if you choose to store your information in the cloud, make sure your backup service is HIPAA compliant to adhere to government regulation.
CloudAlly is certified ISO 27001 and is thoroughly HIPAA compliant software. We offer business associate agreements with all clients who ask for them. Our Office 365 backs up email, calendar, tasks, and contact data.
