Yes, Microsoft Office can be HIPAA compliant when used within the scope of a Business Associate Agreement (BAA) offered by Microsoft, provided that healthcare organizations implement appropriate safeguards and use the software in a manner that aligns with HIPAA requirements, including securing data with encryption and access controls.
What is Microsoft’s Office 365?
Microsoft’s Office 365 differs slightly when compared to the Microsoft Office Suite in a few ways, but perhaps the most important of these is that Office 365 is a subscription service granting access to software, whereas the Office Suite is a one-time purchase. Microsoft’s Office 365 includes everyday computing programmes such as Microsoft Word, Excel, Powerpoint. It also includes Microsoft OneNote, Publisher, and Access.
Using Office 365 in a Health Care Setting
A precondition to the compliance of many services is whether the service provider will enter into a Business Associate Agreement (BAA) with the entity that is subject to the rules of he Health Insurance Portability and Accountability Act, more widely known as HIPAA. Microsoft will do so in certain cases to cover Office 365. It will also enter a BAA to cover both the Microsoft Dynamics CRM, when this has been acquired by Volume Licensing Programs or the Dynamics CRM Online Portal, and the Microsoft Azure cloud platform.
For general use, a BAA between the HIPAA covered entity and Microsoft is not necessarily needed, however before any electronic Protected Health Information be used with any of the programmes, a BAA should be sought, signed, and put in place. An important role that may be required on signing a BAA is the nomination of one or several administrative contacts. These are the people who will be contacted by Microsoft should a security breach be detected. It may be useful if this person also serves or is regular contact with your organizations HIPAA Security Officer.
As one of the world’s largest software and computing companies, Microsoft is quite well-versed in data management and data security. They meet or exceed many international security standards for security practices, some of which are recommended by the United States’ Department of Health and Human Services’ Office for Civil Rights.
Using Office in Compliance with HIPAA
While all programmes could be used in a way which breaches HIPAA Rules, perhaps the most obvious risk to patient privacy and data security comes from the use of email. Data saved to servers is encrypted, as is data that is transferred from Microsoft’s locations. Data packet headers, in contrast, are not encrypted, and neither are message headers. This means that any ePHI that might appear in the subject line of an email or the title of any attached files might not be secure.
In such a case, an email from a hospital to an insurance company entitled, for example, “Mr E. G. Smith, blood results” or with an attachment entitled “EG Smith blood results” may constitute a HIPAA violation as it would not sufficiently protect the name of the patient. PHI should never be included in the email title or the titles of attachments.
Is Office 365 HIPAA Compliant?
Office 365 can be used in compliance with HIPAA Rules, so long as a BAA is in place and staff obey the rules. The greatest threat to HIPAA compliance is often human error, so training on correct use of Office 365 and other software should be paramount in your organization’s compliance strategy.