Microsoft Outlook and HIPAA Compliance

Software or an email application platform can never be completely HIPAA compliant, as compliance is dependent on how the software is being used rather than the software itself. However, software and email services can make it easier to comply with HIPAA. For this to happen the software must include a variety of security features to ensure that any information uploaded to and broadcast via the service can be done so safely, without endangering the sensitive data.

The platform provider must complete a business associate agreement with HIPAA-covered bodies, saying that they will comply with the requirements of the HIPAA, Privacy, Security, and Breach Notification Rules in order to be deemed compliant.

Microsoft has already begun making many of its services suitable for healthcare organizations by agreeing to complete a business associate agreement. Importantly for healthcare groups, the BAA does not include all of Microsoft’s software and services. and Office 365 Outlook HIPAA Compliance is a free of charge, web-based email platform that seems similar to the Outlook product available as part of the Office 365 package. However it is different. is a consumer product and has not been designed with businesses in minds and so should not  be used by healthcare groups, at least not for broadcasting ePHI.

Microsoft supports HIPAA compliance for its Office 365 range of applications, and will complete a business associate agreement with healthcare groups for the enterprise version of Office 365; however, in order to complete with HIPAA it is imoportant to purchase the right package. A vital part of HIPAA compliance is maintaining audit logs, which are not available in Office 365 for Business. HIPAA compliance is only supported for certain of the plans available, and all of the features required for HIPAA compliance are only available in the Enterprise E3 and E5 subscriptions.

It is possible for Office 365 and the associated Microsoft Exchange Online service to be HIPAA compliant if covered by a BAA; however, care must be taken to set up these services correctly and extra controls are needed before Office 365 Outlook can be deemed HIPAA compliant. Microsoft provides enterprise-level encryption, Microsoft Exchange Online Protection, data loss prevention (DLP), and the ability to delete data from mobile devices. Provided these services are used and implemented properly, access controls are established, audit logs are maintained, single sign-on and two factor authentication are switched on, data backups are carried out and staff receive training on the use of email for communicating ePHI, Outlook can be HIPAA compliant. Simply completing a business associate agreement with Microsoft will not, by itself, guarantee compliance with HIPAA Rules.

Microsoft will complete a BAA but states outright that having a BAA does not in itself guarantee compliance with HIPAA Rules. “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Microsoft provides guidance on making Office 365 (Exchange Online) HIPAA compliant here.

About Patrick Kennedy 619 Articles
Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: