Microsoft 365 and HIPAA Compliance

09 Feb. 22

One issue businesses can face when adopting new software or MSP tools is the issue of making sure it properly meets the compliance standards of your company, and by further extension that it follows what’s known as HIPAA compliance. Before we can get into whether or not Microsoft 365 is HIPAA compliant, we need to explain what HIPAA is, what it covers, and why it exists.

HIPAA Explained

The Health Insurance Portability and Accountability Act, or HIPAA was an Act law passed in 1996. While originally for the U.S., HIPAA is now an industry standard for countries across the world. The act covers the data privacy and security regulations that healthcare and medical care practitioners must follow in order to make sure sensitive medical records and information are protected from data breaches, cyber-attacks, ransomware, or hackers. While HIPAA has a number of uses beyond security measures for medical industry compliance, we’ll be strictly discussing HIPAA and its Title II privacy concerns as laid out in the law.

HIPAA Privacy Explained

In order for a medical or healthcare practitioner to follow proper HIPAA compliance, the following elements related to medical information and files must be protected:

  • The name, address, birth date, and social security number of the patient.
  • The mental or physical health condition of the patient.
  • The care or procedures provided to the patient.
  • Any information which concerns the payment, care, or other information which may reveal the identity of the patient.

In addition to this, HIPAA has security rules in place which helps to set standards for the securing, storing, and transfer of patient data. This means the business in question must utilize safeguards for both physical and electronic storage, as well as maintenance of the stored information. Finally, let’s cover HIPAA Compliance in general. HIPAA compliance means health care organizations who rely on services or third-party vendors and tools like IT providers or software must follow and comply with HIPAA regulations and utilize only verified vendors approved by the HIPAA Alliance Marketplace. These verified vendors are known as Business Associates or Bas.

Requirements for HIPAA Business Associates

In order for a business associate to be considered for a HIPAA Business Associate contract, they must meet the following eligibilities:

  • Describe how the BA is permitted and utilizes PHI (protected health information.)
  • The BA will not use or disclose PHI unless specified in the contract signed or within the boundaries of the law.
  • The BA must use appropriate security measures in accordance with HIPAA and the Contract terms.
  • Require the BA to take reasonable steps in the event of a HIPAA breach once they become aware of possible breaches.
  • Moreover, the BA must report any events to the OCR.

With all of this information in mind, it is important to remember many software and email platforms are not fully HIPAA compliant. However, there are ways around the issue of HIPAA compliance when using these. For one, using an email system with security features for uploading and transferring data is one method to meet HIPAA compliance. With all this information to draw from, let’s now review Microsoft 365 and see if it meets HIPAA compliance standards.

Microsoft 365 and HIPAA Compliance

Microsoft is a longtime supporter of HIPAA compliance, with a variety of its services from Office Suite, Office 365, and the enterprise versions of Microsoft 365. However, not all packages offered for the Microsoft 365  system support meet all the requirements of HIPAA. This is why purchasing the correct package for your Microsoft 365 system is important in the context of compliance.

In order to use these services and have them covered by the BA compliance standards, you’ll need to take extra care to make sure you and your team are using these programs correctly and configuring them to utilize them to HIPAA compliance. For this, it’s recommended to use Microsoft 365’s enterprise package, as it offers enterprise-level encryption, Microsoft Exchange Online Protection, data loss prevention (DLP), and the ability to remotely wipe your mobile devices. Additionally, you’ll need to consider the following elements:

  • The services are used and properly configured.
  • Access controls for admins are set up.
  • Regular audit logs are kept and maintained.
  • Single sign-on and two-factor authentication are mandatory.
  • Data backups are performed regularly.
  • And proper staff training on the use of email when communicating ePHI.


As you can see, when utilized and configured properly, Microsoft 365 can meet HIPAA compliance fairly easily. It’s important to keep your staff informed on these matters, making them regular parts of meetings or newsletters. If you’re still struggling to maintain proper HIPAA Compliance, you can consider contracting Let’s Nurture for a free consultation regarding its setup. We’ve been providing tech solutions for businesses for over two decades, with real-world solutions for whatever your business needs.

We use cookies to give you tailored experiences on our website. Talk to us for COVID19 Support