HIPAA Compliance with Office 365 (Exchange Online) – Steps for Configuration and Use


Office 365 provides access virtually anywhere to email, calendar, HD videoconferencing, and enterprise social networking across devices. What’s more, it’s designed to meet health requirements for patient-centered collaboration, user productivity, robust security, and adherence to privacy regulations such as HIPAA, ISO 27001, and EU Model Clauses. With these tools, your health organization can increase efficiency and care collaboration across the entire care continuum. 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA enacted August 21, 1996)

HIPAA and the HITECH Act are U.S. federal laws that apply to healthcare companies, including most doctors’ offices, hospitals, and health insurers. They establish requirements for the use, disclosure and safeguarding of individually identifiable health information.

HIPAA and the HITECH Act apply to healthcare companies, including most doctors’ offices, hospitals, and health insurers. HIPAA and the HITECH Act also require these covered entities to sign written agreements (called business associate agreements or BAAs) with their service providers who provide certain functions using individually identifiable health information. BAAs impose privacy and security obligations on those service providers.

Exchange Online & HIPAA

Exchange Online Protection (EOP) will help you configure out of the box rules to enable your clients to be HIPAA compliant. The same is done using Data Loss Prevention (DLP) policies. 

Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware, and includes features to safeguard your organization from messaging-policy violations. EOP can simplify the management of your messaging environment and alleviate many of the burdens that come with maintaining on-premises hardware and software. DLP policies are simple packages that contain sets of conditions, which are made up of transport rules, actions, and exceptions that you create in the Exchange Administration Center (EAC) and then activate to filter email messages. You can create a DLP policy, but choose to not activate it. This allows you to test your policies without affecting mail flow.

While customers can use Office 365 and CRM Online and remain compliant with HIPAA and the HITECH Act, using Office 365 and CRM Online does not on its own achieve HIPAA compliance. Your organization also needs to ensure it has taken appropriate steps to meet HIPAA’s and the HITECH Act’s requirements, including using the Office 365 and CRM Online service appropriately and training your employees to do the same. Read the sections below to understand the same and for resources to refer.

Configuration

You can create HIPAA related DLP policies in Office 365 >> Exchange Admin Center >> Compliance Management >> Data Loss Prevention >> Click on “+” >> Choose ‘New DLP policy from template’ >> Scroll and Choose “U.S. Health Insurance Act (HIPAA)” under ‘Choose a template’ pane.

You can use the following article for reference: Create a DLP Policy From a Template

The default HIPAA rules scan emails and use 'U.S. Social Security Number (SSN)' or 'Drug Enforcement Agency (DEA) Number' as triggers.

Additionally, U.S. Passport Number, U.S. Bank Account Number, U.S. Driver’s License Number, U.S. Individual Taxpayer Identification Number (ITIN) can be added to the checklist from available templates.

If however, screening emails for information like Date of Birth, is a necessity, customized rules can be made to trigger compliance rules by scanning messages for keywords or specific text patterns. (Reference: Regular Expressions)

 

Important Read

For Reference: Office 365 & CRM Online HIPAA/HITECH Frequently Asked Questions

Office 365 and CRM Online help their customers stay compliant with HIPAA and the HITECH Act. However, to comply with HIPAA and the HITECH Act, a customer may need to sign a written agreement with Microsoft (called a business associate agreement or BAA) that complies with HIPAA’s and the HITECH Act’s requirements. Customers requiring a BAA should sign the BAA after the customer signs its standard agreement(s) with Microsoft for the service but before uploading or transferring health information to the service.

Customers should read the Business Associate Agreement and the HIPAA Implementation Guidance, which provide the legal guarantees and recommended requirements for using Office 365 and Microsoft Dynamics CRM Online with HIPAA and the HITECH Act.

Note: Customers need IT Admin privileges to view and sign the agreement.

EA customers can contact the Microsoft account sales team they have been working with to sign a HIPAA/HITECH Act BAA.

Once on this page, you should review the agreement called “Office 365 and CRM Online HIPAA/HITECH Business Associate Agreement [English]” by clicking on that link. When you are done reviewing the agreement, check the box next to the agreement, type in your name, and click “Accept” to accept its terms.

While customers can use Office 365 and CRM Online and remain compliant with HIPAA and the HITECH Act, using Office 365 and CRM Online does not on its own achieve HIPAA compliance. Your organization also needs to ensure it has taken appropriate steps to meet HIPAA’s and the HITECH Act’s requirements, including using the Office 365 and CRM Online service appropriately and training your employees to do the same.

To assist customers with this task, Microsoft has developed HIPAA Implementation Guidance. The guidance describes concrete steps your organization should take to maintain HIPAA and HITECH Act compliance while using Office 365 and CRM Online. Office 365 and CRM Online help enable our customers HIPAA compliance, provided the customer has an adequate compliance program and internal processes in place, including those described in the HIPAA Implementation Guidance.


The first step is to review the Microsoft Online Services Terms (OST)Please follow the link, and after choosing the preferred language, download the OST document. The HIPAA BAA is discussed on page 7:

HIPAA Business Associate

If Customer is a “covered entity” or a “business associate” and includes "protected health information" in Customer Data as those terms are defined in 45 CFR § 160.103, execution of Customer’s volume licensing agreement includes execution of the HIPAA Business Associate Agreement (“BAA”), the full text of which identifies the Online Services to which it applies and is available at http://aka.ms/BAA

Microsoft products or services not covered by the BAA are not intended or suitable for storage or processing of PHI. Microsoft provides additional HIPAA guidance on the Office 365 Trust Center under the Continuous Compliance section. Direct links are HIPAA FAQs and HIPAA Implementation Guidance

The OST states that when a customer signs an Online Services agreement, they are HIPAA compliant and have signed a BAA. The Online Services Agreement is considered signed at the time the Office 365 tenant is established, making the BAA automatically valid, in force and satisfying the HIPAA obligation for health care providers to obtain a signed BAA.


If Microsoft becomes aware of a security incident, we will both report this according to our standard notification procedures and, if the security incident involved HIPAA protected health information, we will also report the incident to the individual administrator that the customer has identified as its HIPAA administrative contact. Volume licensing customers should follow the instructions in the BAA document to provide their contact details for security incident notifications.

To know more about other DLP policy templates that are available – Please refer to the following articles.

Additional Resources
• Microsoft in Healthcare
• Microsoft in Health Blog

 

Comments (10)

  1. medIT says:

    thx for the leads folks. did some searching nucleuz was the right fit.

  2. Radiology Group says:

    @On Premise Exchange
    HIPAA compliance covers distribution of sensitive data not just where its stored.

    We’ve just signed with Nucleuz too.

  3. On Premise Exchange says:

    If only an on premise Exchange server is used and no offsite, remote or mobile email is used isn’t that, in effect, HIPPA compliant as all email is stored internally and secure?

  4. IT2Resource says:

    Any of the spammy posts above pointing to
    http://www.techni…..nfographics/ should be deleted, as they are just random spam. That included the posts from Priti Mahajan, Kiran Malhotra, and Tom Henry

  5. Simone says:

    Glad I came across this article. We use Nucleuz’s HIPAA policy at our hospital & university.

  6. HealthIT says:

    Looks like there’s some spam in the links above. We’re also using Nucleuz’s DLP Policy for HIPAA and it’s working much better.

  7. Tom Henry says:

    Its a really Awesome information and read such more on the link: http://www.technicaldr.com/tdr/patient-online-search-infographics/

  8. Kiran Malhotra says:

    The steps mentioned above are best and for more information for Infographics see the link: http://www.technicaldr.com/tdr/patient-online-search-infographics/

  9. Priti Mahajan says:

    I used the configuration stated by you thank you for that besides i also have same information on the link
    http://www.technicaldr.com/tdr/hipaa-theft-and-fines/

  10. DLP Guy says:

    If you're looking for a DLP Policy for Exchange on-prem, Exchange Online, or O365, which detects nearly all aspects required by HIPAA & HITECH, see http://www.nucleuz.com Nucleuz.com

Skip to main content