There is no absolute answer to the question is Microsoft Teams HIPAA compliant because there are several versions of the Microsoft Teams platform – some of which are HIPAA compliant, and some of which are not. Furthermore, HIPAA compliance is not dependent on which platform is implemented, but also how it is configured and used.
When Microsoft Teams launched in 2017, it was a feature-limited collaboration platform intended to compete with Slack. As new capabilities were added, Microsoft Teams evolved into a valuable tool for healthcare providers who can use the platform – for example – to schedule and host virtual appointments, manage workflows, and conduct HIPAA training.
However, not every version of Microsoft Teams supports HIPAA compliance. Neither the free nor the Essentials versions of Microsoft Teams support HIPAA compliance; and, in order for some Office 365 and Microsoft 365 Business Plans to support HIPAA compliance it is necessary to subscribe to additional “security” and “compliance” add-ons.
Configuring Microsoft Teams to Support HIPAA Compliance
There is no one-size-fits-all solution to configuring Microsoft Teams to support HIPAA compliance because some Microsoft Business Plans (and particularly the Microsoft Cloud for Healthcare) have more advanced capabilities than others – some of which may be pre-configured to support HIPAA compliant user authentication, access controls, and audit logs.
It is also the case that different healthcare providers may use Microsoft Teams in different ways. For example, some may only use the platform for internal collaboration, while others may also invite external collaborators to group meetings. Similarly, some healthcare providers might not use Microsoft Teams to conduct virtual visits, while others may rely on it.
To help healthcare providers configure Microsoft Teams to support HIPAA compliance, Microsoft has published a guide to “Customer Considerations and Tools for HIPAA Compliance”. Although some parts of the Guide will not be relevant for all healthcare providers, there are also some excellent suggestions for preventing inadvertent violations of HIPAA and avoidable data breaches.
A BAA is Necessary to Make Microsoft Teams HIPAA Compliant
In addition to configuring Microsoft Teams to support HIPAA compliance and training members of the workforce to use the platform compliantly, if an organization is going to use Microsoft Teams to collect, receive, maintain, or transmit electronic PHI, a Business Associate Agreement (BAA) is necessary to make Microsoft Teams HIPAA compliant.
However, rather than agreeing to a covered entity’s Business Associate Agreement, Microsoft has a standard BAA for “in-scope” services that covered entities enter into automatically when subscribing to a qualifying Office 365 or Microsoft 365 business plan or the Microsoft Cloud for Healthcare. This simplifies the BAA process, but the BAA contains potentially contentious clauses.
Two potentially contentious clauses are standard for software service providers inasmuch as Microsoft will not report unsuccessful security incidents to covered entities (as required by §164.314(a)) nor respond to PHI access requests by patients (because covered entities should be able to access ePHI stored on Microsoft’s servers). Additionally, the BAA prohibits covered entities from storing PHI in directory information.
While these may only be minor considerations for some covered entities and upstream business associates subcontracting services to Microsoft, they may be of more importance to others. If your organization has concerns about how its operations may be impacted by Microsoft’s BAA – or by any action required to make Microsoft Teams HIPAA compliant – it is recommended you seek professional compliance advice.