A question our team gets asked frequently is “Office 365 from Microsoft HIPAA compliant? The short answer is yes, it is compliant – BUT a mis-configured system can change that.
Out of the box, with the default settings it is NOT compliant.
Every business doesn’t have to abide by the HIPAA regulations, but they do have great recommendations that every business should follow as they are good practices to have in place.
Here are 5 things you must do to make your Office 365 HIPAA compliant:
1. The data is encrypted in the Microsoft datacenters. However, the names of files, subject lines of emails, and message headers are not encrypted. It is your responsibility to properly train employees, document that training and provide them with reference documentation to help ensure they are following best practices so PHI is not contained in these areas.
Enable Auditing Logs
2. Auditing logs should be enabled for the entire company. This is required to show proof of access management. It is important to show who accessed what data and at what times.
Backing Up Data
3. HIPAA compliance requires offsite backup of not only your server data but also your cloud data. Yes, this includes Office 365 data even though it is in the cloud already. A backup copy from a 3rd party is required so recovery is possible if the primary data source is breached or damaged. In their services agreement, Microsoft states, “We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
This means you should have another method to backup your data other than just relying on Microsoft to back up your Office 365 data. With technology sometimes there are occasional disruptions so it is always good to have a plan B in case you ever have to use it. Especially when sensitive data is in the mix, it is critical you don’t lose that data for your business.
Have a Business Associate Agreement
4. This recommendation is mainly for businesses that must be HIPAA compliant. A BAA (Business Associate Agreement) should be on file with your office administrative contact. A BAA is a written arrangement that specifies each party’s responsibilities when it comes to Protected Health Information (PHI). Your business should have a BAA for every vendor you work with and Microsoft is no exception. This is the easiest task to complete. You may download a copy of their latest BAA here.
2-Factor Authentication (2FA) Enabled
5. Every account on Office 365 should have 2-Factor Authentication enabled. Without 2FA enabled, you will not be covered by Microsoft’s BAA. 2FA is not difficult to engage, so don’t risk voiding your compliance by not having it. You probably already have 2FA enabled on all your accounts. But if you don’t, it is highly recommended to do so. Passwords are pretty easy to get with the Dark Web and the tools out there. But even if someone figures out your password, it is really hard to get around 2FA.
If you need help making your Office 365 compliant or implementing any of these recommendations, You can contact us and our team will be happy to help.