Because no software is HIPAA compliant by default, HIPAA Covered Entities and Business Associates that use or disclose PHI via the Microsoft Teams platform need to know how to make Microsoft Teams HIPAA compliant.
Microsoft Teams is a sophisticated communications platform with secure chat, video, and file-sharing capabilities. Due to the many integrations and add-ons included in Microsoft’s business plans, the platform is widely adopted throughout the healthcare industry to “bridge the gap between in-person and remote teammates”, enhance collaboration, and streamline workflows.
However, if any activities involve uses or disclosures of PHI, or the platform is used to provide telehealth services to patients, it is necessary to make Microsoft Teams HIPAA compliant. It is important to note that making Microsoft Teams HIPAA complaint involves more than signing the Microsoft Business Associate Agreement automatically included with healthcare business plans.
How to Make Microsoft Teams HIPAA Compliant
To make Microsoft Team HIPAA compliant, it is necessary to subscribe to an Office 365 or Microsoft 365 business plan, or to the Microsoft Cloud for Healthcare service. This is because the Microsoft Business Associate Agreement is only offered to customers who subscribe to business plans and services. Consequently, communicating PHI via a personal Teams plan is a HIPAA violation.
Thereafter, when evaluating business plans and services, it is important to be aware some plans and services lack specific capabilities required to make Microsoft Teams HIPAA compliant. For example, two of the three “Frontline Worker” plans lack adequate identity and access management controls to comply with §164.312(a)(1) of the HIPAA Security Rule (the Technical Safeguards).
In such circumstances, it is possible to make Microsoft Teams HIPAA compliant by subscribing to an add-on security plan (or compliance plan where appropriate). However, this may mean a Covered Entity or Business Associate is paying for a package of multiple security capabilities to access only one security capability – the rest being a waste of money if they are never used.
Configuring Microsoft Teams to be Compliant
Once an organization has selected a plan to meet its requirements (and add-ons where necessary), Microsoft Teams then has to be configured correctly to be compliant. Depending on the plan chosen, and the devices the platform will be used on, this may mean activating the automatic log-off feature, installing the EHR Connector, and disabling Data Loss Prevention for external users.
While it may see counter-intuitive to disable Data Loss Prevention – as it is a capability that prevents sensitive data being shared with external users – if the platform is going to be used for telehealth services, patients are usually invited to meetings as “guests”. If the capability is enabled, this would mean healthcare professionals would be unable to share test results, images, and other PHI with patients, and might revert to an alternative – possibly unsecure – channel of communication.
In addition to configuring Microsoft Teams to be HIPAA compliant, it will also be necessary to configure any apps integrated with the platform to be compliant. These include (but are not limited to) Lists, Tasks, Approvals, Bookings, and Shifts apps, plus any Outlook or Office services used alongside the Teams platform. All apps that have access to PHI must be configured to comply with the Administrative, Physical, and Technical Safeguards of the Security Rule.
Using Microsoft Teams Compliantly
As mentioned in the introduction to this article, no software is HIPAA compliant be default. It is how the software is configured and used that determines compliance – and, in the context of answering the question is Microsoft Teams HIPAA compliant, the use of the platform is the key consideration. Consequently, policies must be developed on the compliant use of Microsoft Teams and sanctions enforced when users try to circumnavigate its controls or violate HIPAA due to a lack of attention.
There are two further concerns with using Microsoft Teams in compliance with HIPAA – patient identity verification and the confidentiality of PHI disclosed during a telehealth consultation. Neither concern is accounted for in the Privacy Rule because telehealth was not widely available when the Privacy Rule was published. Nonetheless, members of the workforce must be trained in verifying a remote patient’s identity and ensuring the content of the consultation remains confidential.
Anecdotal evidence implies the latter can often be difficult. While it is possible for healthcare professionals to ensure their end of a communication is secure, a patient may have caregivers, translators, or family members present during a consultation. They might also be connecting to a consultation from work, while on vacation, or via an unsecure public Wi-Fi service. Therefore, healthcare professionals may have to use their judgement to decide whether to continue with a consultation in difficult circumstances.
Is Microsoft Team HIPAA Compliant? Summary
Microsoft Teams supports HIPAA compliance depending on what plan is subscribed to, how the platform is configured, and how it is used. However, as Microsoft notes, using a service that supports HIPAA compliance does not on its own support HIPAA compliance. Organizations are responsible for implementing an adequate compliance program and internal processes to ensure the use of Microsoft services aligns with organizations’ obligations under HIPAA and the HITECH Act.