What Makes Microsoft Teams HIPAA Compliant?

In case your HIPAA-covered company is intending to use Microsoft Teams to collect, save, share, or send electronic PHI, you must understand how to make Microsoft Teams compliant with HIPAA. Although most Microsoft business plans have features supporting HIPAA compliance whenever utilizing Teams, compliance depends on the way the platform is utilized.

Microsoft Teams is a platform for communications that features secure videoconferencing, chat, and file-sharing functions. The platform is extensively utilized in business to “fill the gap between remote and in-person teammates” and could make sure team members remain well-informed, organized, and connected. Microsoft Teams may additionally be bundled with numerous apps to improve collaboration and simplify processes.

Its sophisticated functions and integrations make Microsoft Teams a top communication platform that is used in the healthcare sector. The platform could be made use of for company communications, scheduling, onboarding, and training, and for performing wellness inspections with frontline employees – an activity that is pretty much necessary in the healthcare sector at this time.

When these functions don’t entail the collection, saving, sharing, or sending of electronic PHI, there’s no question about Microsoft Team’s HIPAA compliance since the platform does not need to be HIPAA compliant to carry out company communications, etc. Nonetheless, when electronic PHI is collected, saved, shared, or sent through the platform or through any app integrated with the system, it is crucial for Covered Entities to understand how Microsoft Teams become HIPAA compliant.

How to Make Sure Microsoft Teams is HIPAA Compliant

No software program is HIPAA compliant. The way software is set up and utilized establishes compliance, therefore it is essential for Covered Entities and Business Associates to be aware of functions of the software program before use as well as know what features the program may be missing. For instance, numerous software programs that claim to be HIPAA compliant do not have programmed logoff functions since the devices where they are used must be set up to log out users after a time of inactivity.

If using Microsoft Teams, HIPAA compliance likewise depends on which business plan a company subscribes to. Most business plans include the Teams platform, however, different plans differ in features. For instance, two “Frontline” business plans do not have a complete identity and access management settings. The Teams Phone System is only available in the Microsoft 365 and Office 365 E5 business plans.

Although these possible weak points could be overcome by signing up for add-on licenses, this indicates that the two platforms and the add-on should be set up properly to follow the technical safety measures of the Security Guideline. This could increase the difficulty of making Microsoft Teams compliant with HIPAA and raise the danger of a data breach or an unintentional HIPAA violation. The same is applicable to any other application built with the Teams Platform.

Why Proper Platform Usage Is Important

With many software programs that aid HIPAA compliance, after they are set up to follow the technical safety measures of the Security Regulation, the threat of an unintentional violation or data breach is in accordance with what they are utilized for and how they’re utilized. What Microsoft Teams is utilized for and how it is utilized is specifically useful in the context of responding to the query is Microsoft Teams HIPAA compliant – particularly in terms of communications with patients.

Due to the platform’s features, Microsoft Teams could be used to schedule, control, and carry out virtual telehealth consultations. It is also possible to link Microsoft Teams to particular kinds of EHR (depending on prerequisites) therefore healthcare experts could start virtual consultation services with patients from the EHR, therefore patients could ask for virtual meetings with healthcare experts using a Covered Entity’s healthcare website.

Carrying out virtual telehealth meetings can raise the chance of HIPAA violations when the identity of the patient isn’t confirmed or when the patient is in a place wherein it is not possible to ensure the confidentiality of PHI. As a result, it is necessary for healthcare specialists utilizing Microsoft Teams to perform virtual telehealth consultations with good judgment to make sure PHI disclosures are allowable as per the Privacy Rule.

Other Factors to Consider

Microsoft Teams features a Data Loss Prevention safety measure that inhibits the sharing of sensitive information with people who go to a consultation as a guest (as a lot of patients will be). Based on how this security is set up, it could stop healthcare professionals from permissibly sharing PHI with patients. This might force healthcare specialists to utilize other, non-compliant telehealth solutions to contact patients.

It is additionally vital that you know that, by signing up for an Office 365 or Microsoft 365 business plan, healthcare companies automatically approve Microsoft’s Business Associate Agreement. Microsoft doesn’t sign personal customers’ Business Associate Agreements; therefore, in case a Covered Entity doesn’t want the conditions of Microsoft’s Business Associate Agreement, the alternatives are to either agree to them and endure them, or find a different communications program to utilize.

One more concern is that Covered Entities need to subscribe to a business plan to be able to utilize Teams with a Business Associate Agreement and the business plan should consist of licenses for all people. This could make it extremely expensive to offer telehealth services using Microsoft Teams when the platform is just used by a couple of users or the plan consists of several analytics, insight, and administration features the Covered Entity will spend on, but never utilize.


Although Microsoft Teams could be made to be HIPAA compliant by signing up to the proper plan and setting up the system to comply with the technical safety measures of the Security Regulation, there are a variety of factors to consider prior to taking on Microsoft Teams as a communication platform by which electronic PHI is collected, saved, shared, or sent.

These consist of the confidentiality of PHI in the course of virtual telehealth consultations (this may be applicable to any telehealth program), the chance that a user may utilize a non-compliant substitute for Microsoft Teams to take care of Data Loss Prevention controls, Microsoft’s Business Associate Agreement, and the price of subscribing to a business plan that might include features that will hardly be utilized.

For a lot of Covered Entities, there are less expensive alternatives. Nonetheless, a few have identified security problems, whereas others are purported to have connectivity problems. Consequently, Covered Entities are encouraged to perform comprehensive research on any possible communications software program to make sure it is HIPAA compliant, and to make sure it is quick to set up and utilize in compliance with HIPAA.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone