That’s the answer in their FAQ. Out-of-the-box Office 365 is not HIPAA compliant, and you need to take the appropriate steps to ensure your organization stays compliant.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
As the covered entity (CE) in HIPAA legalese, it is up to you to maintain HIPAA compliance and to pick systems and tools that will serve that end.
Let’s dig into what Microsoft does offer to help you stay HIPAA compliant.
Should this instead be: “What versions of Office 365 are HIPAA compliant?” [MB1]
- Office 365 Compliance Center
- Office 365 Compliance Considerations
- Maintaining Office 365 Compliance with Varonis
- Considerations When Operating Office 365
Office 365 Compliance Center and Features
When people get into compliance with Office 365, they probably first check out the Office 365 Compliance Center. Compliance Center is a suite of tools and dashboards that are available to Office 365 customers on the highest tier package, E5, or with an add-on to the E3 package.
Here is a list of high-level features in Microsoft Compliance Center:
- Compliance Scorecard: The compliance scorecard shows you the compliance score based on Microsoft’s calculations. The compliance score is a risk-based aggregate score that shows you your current position and informs the next steps to take to become compliant.
Microsoft partly calculates the compliance score by a percentage of the compliance controls that apply to your organization that you cover. To that end, you have to feed Microsoft all of the different compliance regulations you want it to consider in the calculation. You can feed compliance center with Microsoft-managed controls or create customer-managed controls.
Microsoft includes pre-configured templates of controls for most of the well-known regulations, HIPAA included.
- Solution Catalog: The solution catalog shows you the Microsoft tools you can implement to meet compliance objectives.
- Insider Risk Management: Insider risk management allows you to detect, investigate, and take action on risky activities in your organization. With this feature, you can create custom alerts and take action on malicious and inadvertent risky activities in your organization.
Insider risk management allows you to policies based on pre-defined templates that define what kinds of risks Office 365 considers an alert. You can set conditions for the alert, define which users to include, and set the time period for the alerting. Here are the pre-defined templates.
Office 365 HIPAA Compliance Considerations
Here are some key points to consider as you implement your Office 365 HIPAA compliance program.
Enabling Office 365 HIPAA Compliance
Healthcare organizations that are moving to Office 365 should implement the various compliance tools and systems in Office 365 that support their privacy and compliance strategy. Still, they should not wholly depend on these systems in their compliance program.
The reports available in the Office 365 Compliance Center will be valuable during HIPAA compliance audits. – like unauthorized access by insiders or accidental data leaks – but you shouldn’t rely on AIP as a silver bullet for HIPAA compliance.
Here are a few more things to know.
Office 365 HIPAA Business Associate Agreement:
HIPAA requires that both covered entities and their business associates – defined as any organization that works with PHI – enter into contracts with each other. These contracts ensure that business associates have in place technical and managerial systems to protect PHI. When working with Office 365, this means entering into a Business Associate Agreement (BAA) with Microsoft.
The Microsoft BAA clarifies and limits how both you and Microsoft can handle PHI and details the steps that you will both take to adhere to the provisions in the HIPAA. Once a BAA is in place, Microsoft customers — which are covered entities in this case — can use its services to process and store PHI. For Microsoft cloud services like Office 365, the HIPAA Business Associate Agreement is available via the Online Services Terms. It is offered by default to all customers who are covered entities or business associates under HIPAA.
It’s important to recognize, however, that entering into a BAA does not, in itself, ensure that you are HIPAA compliant. You can work with PHI in Office 365 in many ways that are not compliant. In short, you are still responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Microsoft services aligns with HIPAA.
As always, when pressed with legalese, consult with a lawyer with expertise in HIPAA compliance.
Office 365 HIPAA Best Practices
Here are some best practices for you to configure and set up Office 365 for HIPAA.
- Strive to maintain least-privileged access from the beginning of your Office 365 implementation. Enforce permissions so that users can only access the PHI they need to do their jobs. This will help keep PHI from access by unauthorized uses.
- Use Microsoft’s end-to-end encryption to protect PHI. Encrypting HIPAA data can help prevent data breaches, and having encryption enabled will look good on an audit.
- Use Microsoft Information Protection to prevent users from mistakenly sending PHI to unauthorized users. MIP can read from a white list of domains, or you could even give external users Azure accounts to keep unauthorized users from accessing your PHI.
- Enable Multi-factor authentication in Office 365.
- Maintain the Office 365 audit logs in case of a compliance incident.
- Keep backups of data held in Office 365 per HIPAA regulations.
Maintaining Office 365 Compliance with Varonis
Varonis helps cover the gaps you may encounter in Office 365 compliance.
A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI)
Varonis maps all of your users, folders, and permissions so you can identify where your data is at risk of unauthorized access. With Varonis, you can track any sharing links or unintended access points that your users create with Office 365, through Teams, for example. With a wide array of pre-built permissions reports, Varonis makes HIPAA audits much faster. You can provide auditors with comprehensive reports detailing precisely who can access to e-PHI, how they got access, and whether they actually need it to do their job.
Varonis then classifies your PHI both on-premise and in Office 365 so you can identify all of the HIPAA protected data, without the need to train a classification engine to do it. Varonis works out of the box to classify HIPAA data and requires little tuning for accurate results. Additionally, Varonis integrates directly with AIP to label sensitive files so AIP can encrypt and track sensitive data.
After you have identified the folders where HIPAA data lives in the greatest danger, Varonis helps you mitigate that risk by automating the processes required to move to least privileged access. Limiting access of HIPAA data to only those individuals that are authorized—often referred to as the principle of least privilege or privacy-by-design–is a milestone on the HIPAA compliance journey.
A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Varonis monitors and records your file activity, folder activity, and email activity so you can always answer the question, “Who is accessing HIPAA data?” Varonis reporting will allow you to prove to auditors exactly who is accessing your ePHI. Varonis looks for patterns of abnormal behavior on your ePHI and alerts you of any potential misuse from insiders or outsiders.
The audit logs are enriched and normalized across all monitored data streams. That means that any event you investigate looks the same in Varonis, and includes all of the important data about that event. And that Varonis can quickly apply analytics to detect abnormal behaviors that could be threats to your HIPAA data.
A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Varonis correlates file access, email activity, and perimeter telemetry to warn you of any potential threats to your ePHI.
A valid user accessing ePHI isn’t noteworthy, but Varonis can tell you if that user account logged in from an odd geographic location, is accessing data they have never touched before, or if the computer they logged into recently triggered a malware alert. Varonis gives you actionable intelligence you can use to investigate any potential intrusion.
Considerations When Operating Office 365
Office 365, especially when you add Teams on top of it, can make things like compliance data security problematic. Teams, and to some extent, Office 365 are designed to enable sharing of data first, and protect data last. Varonis protects data first. When you layer the two systems together, you pave a much easier path towards HIPAA compliance and protect your patient data from breaches
In short, HIPAA compliance can be complicated. If you’re struggling with HIPAA compliance in Office 365 or on-premises Windows-based environments, Varonis offers a no-obligation data risk assessment. Our engineers will install the Data Security Platform so you can start discovering your e-PHI, uncovering risks, and monitoring for threats. Use the report to generate a prioritized remediation plan, get buy-in from leadership, and map out what you need to do next to meet regulations. Start with a conversation.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.