Office 365 becomes first and only major cloud service to meet the rigors of U.S. HIPAA requirements

Concerns over security and privacy are common barriers holding some education institutions back from moving to cloud computing. Microsoft has been making deep investments in security, privacy and compliance in our products to help our customers move to the cloud with confidence. Today, I am happy to share that Microsoft announced that our Office 365 solution now provides physical, administrative and technical safeguards and embeds privacy and security capabilities in Office 365 to address compliance with business associate HIPAA requirements. This is a fantastic development that will enable teaching hospitals and medical centers around the U.S. to deploy Office 365 with the necessary reassurances required around privacy and security in handling Electronic Protected Health Information (ePHI).
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a U.S. statute with accompanying regulations that applies to healthcare entities such as hospitals, academic medical centers, insurance companies and doctor’s offices (“covered entities”).  HIPAA governs the use, disclosure and safeguarding of protected health information (“PHI”). HIPAA has been expanded by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which also imposes requirements on covered entity vendors who use and disclose PHI. This vendor relationship requires the covered entity and business associate to sign a business associate agreement (“BAA”).  When healthcare customers who are covered entities use our Office 365 services, they  may be storing and transmitting PHI in our data center. In connection with that, Office 365 is now the first and only cloud productivity service to proactively provide a BAA to HIPAA covered entity customers as part of the service terms.
There are about 1,100 teaching hospitals in the United States. This translates into millions of patient treatments and many thousands of newly trained medical professionals each year.  The impact that cutting edge communication and collaboration technology can have in this sector is unquestionable. However, given that the patient data being handled is extremely sensitive, it is a regulated requirement that the right security and privacy measures are built into solutions.  By providing our education customers a BAA for Office 365, teaching hospitals and university medical centers now have the option to enjoy significant cost benefits and industry leading communication and collaboration technologies with the reassurances around compliance they need from Microsoft.  Academic institutions that are involved in medical research and who handle electronic PHI in their daily activities can also now use of Office 365 where they could not before.
We take our responsibility to deliver reliable services very seriously. For more on Microsoft’s specific data protection policies, procedures and tools that have been integrated into Office 365, please read this white paper. The Office 365 Trust Center also provides in-depth information on our security and privacy practices (

Comments (1)

  1. Father1234 says:

    Can the Security breaches ( published in Microsoft bullitins ) adversly affect HIPAA protected medical records in HealthVault and EHR companies like Allscripts etc ( Microsoft “Partners”) ?

Skip to main content