Get a Demo
Free Trial
CA Blog Logo
HIPAA compliance software – Office 365 HIPAA
HIPAA Compliance Software | CloudAlly
Try our Backup Interactive Product Tour
Start Tour

Office 365 HIPAA

HIPAA Compliance Software

hipaa compliance softwareProtected health information is an important subject in the technological age. The use of mobile devices such as smart phones and tablets make it more consequential for companies to have protections in place. With the use of online services, like Office 365, HIPAA compliant takes on a new level of complexity. Not only does your business must have regulations and safe practices in place to protect sensitive data, but the online service must have HIPAA compliance software measure as well.

The IT manager can easily be confused by which services have the proper protections in place to help safeguard data.  A quick search and hundreds of names appear, all claiming to have the certifications necessary to meet your needs. While many do, not all are as compliant as they pretend to be. So, one wonders is Office 365 HIPAA compliant?

Certified to Protect

Microsoft has robust security features necessary to help protect information stored on their servers. The company offers two-factor security authentication to help keep your accounts secure. In short, Office 365 is HIPAA compliant.

As an Office 365 user, there are some things you must do to take advantage of their compliance standing. All companies using Office 365, must complete a business associate agreement, or BAA, with Microsoft. Once in place, Microsoft, for their part, will do everything in their power to ensure your protected health documents are secure.

Configuring Office 365 Email

After signing a BAA, Microsoft helps you set user emails to comply with HIPAA regulations using the Exchange Online Protection program. Only administrators can configure these settings, as they are reached from the Exchange Admin Center page.hipaa compliance email


Once on the Admin page, select Compliance management, then select Data Loss Prevention. From here click on the “+” sign and select New DLP policy from the template. Scroll until you find HIPAA and choose template.

By default, Office 365’s HIPAA rules scan messages for Drug Enforcement Agency (DEA) number and Social Security numbers. However, if you need more coverage, you can add:

  • US Passport number
  • US Bank Account
  • US Driver’s License
  • US Individual Taxpayer Identification number

To add any of these items to your HIPAA configuration, just select them on the template. You can also customize rules to add fields such as Date of Birth.

Once enacted, Microsoft scans each email for selected sensitive information. In the event of an incident, Microsoft reports it as dictated by their standard notification procedures to the system administrators.

Office 365 HIPAA Compliance Is Not Enough

Using an email service that is HIPAA compliant, like Office 365, is not sufficient. Microsoft is only responsible for maintaining security on their end of the agreement. It is up to business owners to use best practices to protect customer information and comply with HIPAA regulation.

Adding two-factor security authentication is just one step to help protect your files in an HIPAA regulated situation. Using encrypted email when sending data contributes to protecting your customers from potential information loss.

Another step you can take is limit who on your staff can send emails concerning patient information. Limiting who can access and edit client files is also another way to protect sensitive data.

Patient consent forms, which must be signed for health information to be shared with anyone other than the patient, are the responsibility of your office. Microsoft does not take responsibility for this document. It is up to your staff to obtain and retain written permission. Under HIPAA regulation, this agreement is obtainable v