HIPAA Compliance with Office 365 (Exchange Online) - Steps for Configuration and Use
Office 365 provides access virtually anywhere to email, calendar, HD videoconferencing, and enterprise social networking across devices. What’s more, it’s designed to meet health requirements for patient-centered collaboration, user productivity, robust security, and adherence to privacy regulations such as HIPAA, ISO 27001, and EU Model Clauses. With these tools, your health organization can increase efficiency and care collaboration across the entire care continuum.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA enacted August 21, 1996)
HIPAA and the HITECH Act are U.S. federal laws that apply to healthcare companies, including most doctors’ offices, hospitals, and health insurers. They establish requirements for the use, disclosure and safeguarding of individually identifiable health information.
HIPAA and the HITECH Act apply to healthcare companies, including most doctors’ offices, hospitals, and health insurers. HIPAA and the HITECH Act also require these covered entities to sign written agreements (called business associate agreements or BAAs) with their service providers who provide certain functions using individually identifiable health information. BAAs impose privacy and security obligations on those service providers.
Exchange Online & HIPAA
Exchange Online Protection (EOP) will help you configure out of the box rules to enable your clients to be HIPAA compliant. The same is done using Data Loss Prevention (DLP) policies.
Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware, and includes features to safeguard your organization from messaging-policy violations. EOP can simplify the management of your messaging environment and alleviate many of the burdens that come with maintaining on-premises hardware and software. DLP policies are simple packages that contain sets of conditions, which are made up of transport rules, actions, and exceptions that you create in the Exchange Administration Center (EAC) and then activate to filter email messages. You can create a DLP policy, but choose to not activate it. This allows you to test your policies without affecting mail flow.
While customers can use Office 365 and CRM Online and remain compliant with HIPAA and the HITECH Act, using Office 365 and CRM Online does not on its own achieve HIPAA compliance. Your organization also needs to ensure it has taken appropriate steps to meet HIPAA’s and the HITECH Act’s requirements, including using the Office 365 and CRM Online service appropriately and training your employees to do the same. Read the sections below to understand the same and for resources to refer.
You can create HIPAA related DLP policies in Office 365 >> Exchange Admin Center >> Compliance Management >> Data Loss Prevention >> Click on “+” >> Choose ‘New DLP policy from template’ >> Scroll and Choose “U.S. Health Insurance Act (HIPAA)” under ‘Choose a template’ pane.
You can use the following article for reference: Create a DLP Policy From a Template
The default HIPAA rules scan emails and use 'U.S. Social Security Number (SSN)' or 'Drug Enforcement Agency (DEA) Number' as triggers.
Additionally, U.S. Passport Number, U.S. Bank Account Number, U.S. Driver’s License Number, U.S. Individual Taxpayer Identification Number (ITIN) can be added to the checklist from available templates.
If however, screening emails for information like Date of Birth, is a necessity, customized rules can be made to trigger compliance rules by scanning messages for keywords or specific text patterns. (Reference: Regular Expressions)
Office 365 and CRM Online help their customers stay compliant with HIPAA and the HITECH Act. However, to comply with HIPAA and the HITECH Act, a customer may need to sign a written agreement with Microsoft (called a business associate agreement or BAA) that complies with HIPAA’s and the HITECH Act’s requirements. Customers requiring a BAA should sign the BAA after the customer signs its standard agreement(s) with Microsoft for the service but before uploading or transferring health information to the service.
Customers should read the Business Associate Agreement and the HIPAA Implementation Guidance, which provide the legal guarantees and recommended requirements for using Office 365 and Microsoft Dynamics CRM Online with HIPAA and the HITECH Act.
Note: Customers need IT Admin privileges to view and sign the agreement.
EA customers can contact the Microsoft account sales team they have been working with to sign a HIPAA/HITECH Act BAA.
Once on this page, you should review the agreement called “Office 365 and CRM Online HIPAA/HITECH Business Associate Agreement [English]” by clicking on that link. When you are done reviewing the agreement, check the box next to the agreement, type in your name, and click “Accept” to accept its terms.
While customers can use Office 365 and CRM Online and remain compliant with HIPAA and the HITECH Act, using Office 365 and CRM Online does not on its own achieve HIPAA compliance. Your organization also needs to ensure it has taken appropriate steps to meet HIPAA’s and the HITECH Act’s requirements, including using the Office 365 and CRM Online service appropriately and training your employees to do the same.
To assist customers with this task, Microsoft has developed HIPAA Implementation Guidance. The guidance describes concrete steps your organization should take to maintain HIPAA and HITECH Act compliance while using Office 365 and CRM Online. Office 365 and CRM Online help enable our customers HIPAA compliance, provided the customer has an adequate compliance program and internal processes in place, including those described in the HIPAA Implementation Guidance.
The first step is to review the Microsoft Online Services Terms (OST) . Please follow the link, and after choosing the preferred language, download the OST document. The HIPAA BAA is discussed on page 7:
HIPAA Business AssociateIf Customer is a “covered entity” or a “business associate” and includes "protected health information" in Customer Data as those terms are defined in 45 CFR § 160.103, execution of Customer’s volume licensing agreement includes execution of the HIPAA Business Associate Agreement (“BAA”), the full text of which identifies the Online Services to which it applies and is available at https://aka.ms/BAA .Microsoft products or services not covered by the BAA are not intended or suitable for storage or processing of PHI. Microsoft provides additional HIPAA guidance on the Office 365 Trust Center under the Continuous Compliance section. Direct links are HIPAA FAQs and HIPAA Implementation GuidanceThe OST states that when a customer signs an Online Services agreement, they are HIPAA compliant and have signed a BAA. The Online Services Agreement is considered signed at the time the Office 365 tenant is established, making the BAA automatically valid, in force and satisfying the HIPAA obligation for health care providers to obtain a signed BAA.
If Microsoft becomes aware of a security incident, we will both report this according to our standard notification procedures and, if the security incident involved HIPAA protected health information, we will also report the incident to the individual administrator that the customer has identified as its HIPAA administrative contact. Volume licensing customers should follow the instructions in the BAA document to provide their contact details for security incident notifications.
To know more about other DLP policy templates that are available – Please refer to the following articles.
- DLP Policy Templates
- DLP Policy Templates Supplied in Exchange
- Policy Templates from Microsoft Partners
- Define Your Own DLP Templates and Information Types
- How DLP Rules are Applied to Evaluate Messages