Your Guide to Office 365 HIPAA Compliance & HITECH Standards

Microsoft can’t meet all HIPAA compliance & HITECH standards without your own work and configuration. Because adhering to Office 365 HIPAA compliance & HITECH standards is your organization’s responsibility, even Microsoft has strict rules on what it will suggest and configure.

Luckily, Microsoft set up a program to assist companies that sign a Business Associate Agreement (BAA). The BAA doesn’t guarantee your organization follows HIPAA and HITECH standards. By offering a BAA, Microsoft only supports the implementation based on the parameters your company provides — and nothing more.

Do You Need to Sign a BAA for Office 365 HIPAA Compliance?

Because Office 365 HIPAA compliance falls on your company, you don’t have to sign a BAA and could still be compliant with a custom configuration.

Both the HIPAA & HITECH act outline standards and not absolutes. Many companies don’t sign a BAA and instead do the work in-house or hire an Office 365 compliance partner.

So what does that mean for your organization? Your legal team must be looped into any potential change in how your organization handles information. Office 365 provides information on compliance standards and tutorials to configure them.

Your legal team should provide the framework for what must be configured. If your team doesn’t have the expertise to accomplish this, you should reconsider your team. Even small HIPAA & HITECH Act violations can lead to big lawsuits.

Configure Security Policies in Office 365

Office 365 was built with security in mind. Your data is likely far safer in Office 365 than your own datacenters. Microsoft and its partners have heavily invested in making Office 365 as safe as possible.

Data Loss Prevention (DLP) is one helpful, optional license to consider. DLP arms end users with real-time tips to recognize and prevent sensitive information leaks. Your policy will flag items like credit card and social security numbers and block users from sending them. DLP helps your organization prevent data loss (especially for those end users who don’t know you even have a policy).

In fact, your DLP policy can protect all data across your Office 365 tenant. DLP policies cover sensitive information in Exchange Online, SharePoint Online and OneDrive for Business. You can set which services you want to protect with a new DLP policy.

Depending on how your DLP policy is configured, managers can override certain restrictions or be alerted when someone attempts to send sensitive data. To make implementing DLP policies easier in Office 365, Microsoft provides some out-of-the-box templates to save you time. If you’re subject to HIPAA & HITECH standards, I’d highly recommend this license.

Do You Need an Office 365 HIPAA Compliance Partner?

Many companies claim to be experts in HIPAA & HITECH Act requirements and will shell out plenty of suggestions to stay compliant. Beware of trusting an overly confident company with your Office 365 HIPAA compliance and HITECH standards. Somewhere in the fine print, there’s an out clause that points the finger back at you.

Working with an experienced partner will ease the process of becoming HIPAA and HITECH compliant, but no partner can achieve compliance for you on its own. You’ll have to work closely with your partner to clearly communicate and implement your requirements.

The Microsoft Security and Trust Centers area a great place to start. These resources help you (or your partner team) identify what must be configured to meet most security and compliance standards, including the HIPAA & HITECH Acts. Microsoft ranks its partners by achieved competencies, so I’d suggest choosing a partner with proven experience in your realm of compliance.

If you’re looking for a trusted advisor to talk honestly about Office 365 HIPAA compliance, reach out to Agile IT today. Our Office 365 consultants will help you identify the technical requirements and outline a plan to achieve HIPAA and HITECH compliance or configure other security options like DLP.

Tyjon Hunter MIS, MCSA