3 Tips to ensure HIPAA compliance with Microsoft Office 365
1) Evaluation – Research Office 365 security and privacy practices to ensure it meets your organizations requirements. You should read the Service-Specific Privacy & Security link, Office 365 also has a privacy white paper available.
2) Sign-Up Process – You should make sure you sign the Business Associate Agreement (BAA) once the sign up process is complete. This can be accomplished by going to the Office 365 HIPAA/HITECH FAQ. If you have an Enterprise Agreement version of the BAA, you will also need to e-mail MSO-HIPAA@microsoft.com and designate a HIPAA Admin Contact as well.
*HIPAA support is only offered under the following plans and services: Office 365 plans A1, A2, A3, A4, E1, E2, E3, E4, P1, K1, K2; Exchange Online Plan 1, Plan 2 and Kiosk; Exchange Online Archiving; SharePoint Online Plans 1 and 2; Office Web Apps Plans 1 and 2; and Lync Online Plans 1 and 2.
3) Training – All employees should receive training on how to properly deal with ePHI based on their perspective roles. Administrators should keep ePHI out of any sort of address book or directory as well as never allow access to to ePHI during support or troubleshooting with Microsoft. Users should be trained not to e-mail ePHI to individuals who do not have the right to view that ePHI.
The following are suitable for uploading ePHI:
- E-mail body.
- E-mail attachment body.
- SharePoint site content.
- Information in the body of a SharePoint file.
- Lync presentation file body.
- IM or voice conversations.