Microsoft Office 365 is an incredibly useful suite of tools that can be used by health providers, insurance companies, and their business associates alike to store, transfer, and manage patient files. However, the HIPAA Security and Privacy Rules, along with HITECH regulations, introduced very strict requirements to safeguard patients’ electronic protected health information (ePHI). Implementing 365 without considering these requirements is a recipe for disaster.
With that in mind, here are four important points that cannot be overlooked to ensure your use of Office 365 keeps you in line with HIPAA requirements.
1. Get a BAA with Microsoft
HIPAA regulations cover not only the companies responsible for providing health care and processing claims (including physicians’ offices, hospitals and insurance companies), but also their business associates (outside providers who also handle ePHI). This means that business associates can be liable for compromised ePHI, but so can the provider using the business associate’s services if they did not conduct due diligence. To ensure HIPAA compliance and consistency on all sides, providers should have a business associate agreement (BAA) in place with their business associates.
The requirements for a BAA are set forth in the HIPAA Security Rule, and include:
- How the business associate is allowed to use the ePHI
- A provision forbidding the business associate from using or disclosing ePHI in a manner not permitted in the BAA
- Required safeguards the business associate must use to prevent unauthorized use or disclosure of the ePHI
Luckily, if you’re going to use a Microsoft service to handle ePHI, Microsoft cloud services covered under BAAs have been audited for the Microsoft ISO/IEC 27001 certification. Microsoft already has a standard HIPAA Business Associate Agreement that can be applied to most business associate relationships as well.
2. Enable Access Logs and Reports
One of the requirements of the HIPAA Privacy Rule is to “develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of [the] workforce.” This kind of policy is useless without a way to ensure it is followed, and Office 365 offers easy ways to do this: All an admin needs to do is go to Security & Compliance Center > Audit log search page > “Start recording user and admin activity.” Turning on activity recording will track file and folder activities, sharing and access request activities, site admin activities, role administration activities, and much more for SharePoint, Exchange, Azure and other services. In the event of a data breach, it will be quick and easy to go back and see who accessed what records and when, and access and activity reports are simple to export if needed.
3. Explore the Full Range of Data Protection Offered by 365
The HIPAA Security Rule is unfortunately vague on the subject of data encryption, stating that ePHI should be encrypted “whenever deemed appropriate.” By default, Office 365 encrypts data at rest and in transit, but given the highly sensitive nature of ePHI and the possible consequences for its unauthorized use, it is well worth it to explore additional security and access control options.
Microsoft has a helpful guide outlining how you might classify and further protect the data you store with it. These levels of protection include:
- Data is encrypted and available only to authenticated users (Office 365 default); additional data and identity protection may be applied broadly.
- Sophisticated protection applied to specific data sets (such as Data Loss Prevention for Office 365).
- Strongest protection and separation capabilities, such as Customer Lockbox and eDiscovery features in Office 365, and SQL Server Always Encrypted for partner solutions. (Use auditing features to ensure compliance to policies and prescribed configurations.)
It may take more work to set up, but giving your ePHI more protection to prevent a data breach is well worth it!
4. Employee Training
Employee training should be a necessary step for implementing any technology or compliance initiative, but it would be remiss not to mention it here. It is crucial that your employees understand what constitutes ePHI, how they are permitted to view and use it for their job duties, and what manner it should and should not be shared. More specific to Office 365, Microsoft offers a list of mediums in which ePHI can be considered secure:
- Email body
- Email attachment body
- SharePoint site content
- Information in the body of a SharePoint file
- Lync presentation file body
- IM or voice conversations
- CRM entity records
Likewise, employees must understand what formats ePHI is not secure in, and therefore should not be used to store, transfer or communicate it using:
- Email headers (including “From,” “To,” or “Subject Line”)
- Filenames (including filenames of any attachments or uploaded documents on any service)
- URLs or any public SharePoint websites
- Account, billing or service configuration data
- Internet domain names
- User global address list or address book data
- Support ticket information
Additionally, employees should understand access control measures, remote access policies, physical device security, and the consequences of HIPAA violations (both for patients and for the company). Once everyone is on the same page about their role and permissions within HIPAA and you implement all other 365 requirements, ensure that your productivity and security applications are kept up-to-date, and enjoy all the capabilities that the Office 365 suite has to offer!