Microsoft Outlook is HIPAA compliant and can be used to send emails containing Protected Health Information provided customers subscribe to an appropriate Microsoft plan with the capabilities to support HIPAA compliance and agree to the terms of Microsoft’s Business Associate Agreement.
In order to make Microsoft Outlook HIPAA compliant, system administrators must configure Outlook’s settings to comply with applicable standards and implementation specifications of the Security Rule. In addition, it will be necessary for covered entities and business associates to train members of the workforce how to use Microsoft Outlook in compliance with HIPAA.
Selecting an Appropriate Microsoft Plan
Microsoft Outlook comes in a number of product “formats”. Some formats do not support HIPAA compliance because they are consumer products (i.e., outlook.com) or because they are not “in-scope” (i.e., the Outlook app in Office 2021). The formats that do support HIPAA compliance are listed on Microsoft’s web page dedicated to HIPAA and HITECH compliance.
Most covered entities and business associates that use the Outlook email service will do so as part of a Microsoft 365 or Office 365 plan. There are multiple plan types, and to help organizations select the most appropriate plan for their requirements, Microsoft has produced a comparison table which includes a list of security and compliance add-on subscriptions.
To work out what their requirements are, covered entities and business associates should conduct a risk assessment to identify “reasonably anticipated” threats to the confidentiality, integrity, and confidentiality of Protected Health Information (PHI). The risk assessment should also identify ways in which members of the workforce might impermissibly disclose PHI.
Using the results from the risk assessment, covered entities and business associates should be able to compile a Microsoft Outlook HIPAA compliant checklist. The checklist can be compared against Microsoft’s comparison table to identify which plan (with or without add-on subscriptions) is most appropriate for supporting HIPAA compliance efforts.
The Microsoft Business Associate Agreement
Microsoft offers hyper-scale, multi-tenanted services for thousands of healthcare customers and cannot enter into individual Business Associate Agreements with each one. Instead, Microsoft offers a standard Business Associate Agreement to all covered entities and business associates which includes standard customer responsibilities and provider terms.
Covered entities and business associates are advised to obtain and review a copy of the Business Associate Agreement before agreeing to the terms. This is because Microsoft states it will not respond to right of access requests (because PHI is not maintained in designated record sets), and also gives notice of unsuccessful security incidents (rather than reporting each one).
Covered entities and business associates have to agree to the terms of the Business Associate Agreement to make Microsoft Outlook HIPAA compliant. However, customers are assumed to have agreed to the terms when they enter into a service agreement (i.e., for Microsoft 365) which includes an Online Products and Services Data Protection Addendum.
It is also advisable for covered entities and business associates to obtain and review the Data Protection Addendum before subscribing to a Microsoft plan. This is because, in addition to having to comply with HIPAA, organizations in some locations are required to comply with state data privacy laws – which may preempt HIPAA or which may have more stringent data retention and/or deletion requirements than Microsoft’s standard terms.
Making Microsoft Outlook HIPAA Compliant
Despite the Data Protection Addendum and the Business Associate Agreement, Microsoft Outlook does not support HIPAA compliance “out of the box”. In order to make Microsoft Outlook HIPAA compliant, system administrators must configure settings such as Access Controls and Mailbox Permissions to comply with the Technical Safeguards of the Security Rule.
Due to the range of products and services in Microsoft plans, the different ways in which the products and services can be used, and existing security measures that might duplicate the capabilities of the Microsoft plans, Microsoft does not provide a HIPAA Implementation Guide, but only offers limited “Implementation Guidance” (PDF downloads directly from this link).
Covered entities and business associates unfamiliar with Microsoft 365 and Office 365 can take advantage of the Admin Center help pages to configure Outlook’s settings to comply with the applicable safeguards and implementations specifications. Alternatively, it is possible to reach out to Microsoft support depending on the level of support included in the Microsoft plan.
Once the settings are configured, they can be tested using the Purview Compliance Manager. This add-on can be used to apply Data Loss Prevention policies to PHI stored in emails and storage volumes such as OneDrive, and to monitor user activity in Outlook (as well as in Skype, Yammer, and Teams) to identify accidental or deliberate impermissible disclosures of PHI.
Training Members of the Workforce to Use Outlook
The content of HIPAA training for Outlook will depend on the existing HIPAA knowledge of workforce members. For example, it may be necessary to educate members of the workforce on what is considered PHI under HIPAA, when PHI can be used or disclosed in compliance with the Privacy Rule, and when the minimum necessary standard applies to email communications.
It is also important that members of the workforce are told not to include PHI in the subject lines of emails. This is because, when Microsoft encrypts PHI in transit, it does not encrypt the to, cc, bcc, or subject line fields. Organizations concerned that PHI might be exposed in error are advised to adopt an email security service to protect PHI from unauthorized access.
The risk of many other accidental disclosures can be mitigated by applying user policies in the Purview Compliance Manager. However, two issues a HIPAA compliant Microsoft Outlook service cannot eliminate are the failure to use the bcc field when emailing multiple recipients, and sending emails to the wrong recipients. HIPAA training must cover these two issues.
Thereafter, depending on what other Microsoft 365 or Office 365 services are being used, it may be important to train members of the workforce on compliantly archiving PHI received in emails and sharing files via services such as OneDrive. It may be also be important to highlight services not covered by the Business Associate Agreement (i.e., contacts) in which PHI cannot be stored.
Is Microsoft Outlook HIPAA Compliant? Conclusion
There are four stages to making Microsoft Outlook HIPAA compliant and using it in compliance with HIPAA. The first is to select an appropriate Microsoft plan because selecting a plan that lacks the capabilities an organization requires to comply with HIPAA could lead to HIPAA violations, while selecting a plan with capabilities that will not be used is a waste of money.
The second stage is to review the Data Protection Addendum and Business Associate Agreement before committing to a subscription. It is essential that, if these documents are acceptable to a covered entity or business associate, they are digitally signed before any Microsoft 365 or Office 365 service is used to create, receive, store, or transmit PHI.
The third stage of making Microsoft Outlook HIPAA compliant is to configure the settings to ensure Outlook complies with the applicable standards and implementation specifications of the Security Rule. This stage includes developing and applying user and Data Loss Prevention policies, and setting up alerts to notify administrators of impermissible disclosures.
Finally, members of the workforce must receive training on how to use Microsoft Outlook in compliance with HIPAA. The amount of training required will depend on existing knowledge levels and susceptibility to threats from phishing, spam, and malware. Covered entities and business associates who require assistance with any stage of making Microsoft Outlook HIPAA compliant are advised to seek help from a compliance expert with experience of Outlook.