Achieving HIPAA Compliance With Office 365

The HIPAA Act sets forth stringent requirements for any organization hosting, accessing, transmitting, or storing electronic personal health information (EHPI). The guidelines for HIPAA compliance were established to keep health data protected and out of the wrong hands. Establishing HIPAA compliance across a network can be a time-consuming task.

Luckily – Microsoft makes it easy to achieve compliance with Microsoft Office 365. The cloud-hosted, subscription version of the award winning Microsoft Office has been designed to help healthcare organizations, insurance companies, and other companies processing EHPI achieve HIPAA compliance while providing the collaborative and cost-saving benefits of the cloud.

Here are four ways Microsoft Office 365 helps organizations achieve HIPAA compliance:

Meets HIPAA and Data Safeguard Compliance Regulations

According to Microsoft – Office 365 complies with the HIPAA Business Associate Agreement. Under the agreement, a “business associate” is a person or entity that is involved with the handling or disclosure of EPHI on behalf of a covered entity (a health care provider, insurance provider, etc.). Office 365 meets the requirements to be considered a business associate for handling personal health information. It also meets the breach notification requirements of ARRA/HITECH, the International Organization for Standardization 27001, Federal Information Security Management Act, EU Safe Harbor, EU Model Clauses, and the Data Processing Agreement.


As we mentioned previously, HIPAA requirements state that organizations hosting EPHI ensure that all portions of their network have encryption capabilities to securely store and transmit data. Microsoft Office 365 offers enterprise-level encryption for its data, including email encryption options through Outlook Online. A user can send an encrypted email (which contains sensitive EPHI) to another user with two access options. They can either send an encrypted email which the recipient can access by logging in via their Microsoft account (ideal for users within the same organization) or by using a one-time passcode to view the encrypted email if the recipient doesn’t have a Microsoft account.

Data Loss Prevention Rules

In the Exchange Online admin center, system administrators can establish data loss prevention (DLP) policies to scan email messages for sensitive information subject to HIPAA compliance. For example, all incoming messages can be pre-screened for data protected under HIPAA including social security numbers and health insurance account numbers. Rules can be established to automatically block the delivery of an email containing sensitive information and then notify the sender that the email was blocked. These types of rules ensure that health data is only transmitted through secured channels as set forth by the HIPAA Act.

Mobile Data Wipe

If for some reason a physician’s or other health professionals device is lost or stolen, access to sensitive EPHI can easily be restricted via Office 365’s mobile data wipe. Through Microsoft’s Office 365 system administrator dashboard, a lost or stolen tablet, mobile phone, or laptop can be remotely wiped. All data is removed from the device and program access is locked out – so unauthorized users are unable to access highly classified heath information.

Interested in moving to Microsoft Office 365? Roan Solutions can help you make the move and ensure that your IT environment is HIPAA compliant. Contact us today.

Posted in HIPAA Compliance, News
Sign Up to the IT Newsletter from Roan Solutions:
* indicates required

Featuring Recent Posts WordPress Widget development by YD