Office 365 & CRM Online HIPAA/HITECH Frequently Asked Questions
Last updated: July 2012
HIPAA support is currently built into and
offered for the following services ONLY:
Microsoft Office 365 Plans A1, A2, A3, A4, E1, E2, E3, E4, P1, K1, K2; Exchange Online Plan 1, Plan 2 and Kiosk; Exchange Online Archiving; SharePoint Online Plans 1 and 2; Office Web Apps Plans 1 and 2; and Lync Online Plans 1 and 2.
- What is HIPAA/HITECH?
HIPAA and the HITECH Act are U.S. federal laws that apply to healthcare companies, including most doctors’ offices, hospitals, and health insurers. They establish requirements for the use, disclosure and safeguarding of individually identifiable health information.
- Whom does HIPAA/HITECH law apply to? Who needs to be HIPAA compliant?
HIPAA and the HITECH Act apply to healthcare companies, including most doctors’ offices, hospitals, and health insurers. HIPAA and the HITECH Act also require these covered entities to sign written agreements (called business associate agreements or BAAs) with their service providers who provide certain functions using individually identifiable health information. BAAs impose privacy and security obligations on those service providers.
- Do Office 365 and CRM Online allow their customers to be HIPAA/HITECH Act compliant?
Yes, Office 365 and CRM Online help their customers stay compliant with HIPAA and the HITECH Act. However, to comply with HIPAA and the HITECH Act, a customer may need to sign a written agreement with Microsoft (called a business associate agreement or BAA) that complies with HIPAA’s and the HITECH Act’s requirements. Customers requiring a BAA should sign the BAA after the customer signs its standard agreement(s) with Microsoft for the service but before uploading or transferring health information to the service.
- How does a customer sign a HIPAA/HITECH Act BAA with Microsoft?
Customers purchasing outside Volume Licensing must visit here to get a signed copy of the Office 365 and CRM Online HIPAA/HITECH Act BAA. Note: Customers need IT Admin privileges to view and sign the agreement.
Once on this page, you should review the agreement called “Office 365 and CRM Online HIPAA/HITECH Business Associate Agreement [English]” by clicking on that link. When you are done reviewing the agreement, check the box next to the agreement, type in your name, and click “Accept” to accept its terms.
- How do Volume Licensing EA customers sign a HIPAA/HITECH Act BAA with Microsoft?
EA customers can contact the Microsoft account sales team they have been working with to sign a HIPAA/HITECH Act BAA.
- What are the things a customer should do as part of signing HIPAA/HITECH Act BAA?
While customers can use Office 365 and CRM Online and remain compliant with HIPAA and the HITECH Act, using Office 365 and CRM Online does not on its own achieve HIPAA compliance. Your organization also needs to ensure it has taken appropriate steps to meet HIPAA’s and the HITECH Act’s requirements, including using the Office 365 and CRM Online service appropriately and training your employees to do the same.
To assist customers with this task, Microsoft has developed HIPAA Implementation Guidance. The guidance describes concrete steps your organization should take to maintain HIPAA and HITECH Act compliance while using Office 365 and CRM Online.
- Will Microsoft send me confirmation after I sign the Office 365 and CRM Online HIPAA/HITECH Act BAA?
Office 365 and CRM Online will not contact you to confirm you have signed the BAA. If you signed the agreement in the Microsoft Online Services Portal, you may return to the portal to confirm the agreement is signed. If you signed under an Enterprise Agreement, you may contact your account manager.
- Are Office 365 and CRM Online HIPAA Compliant?
Office 365 and CRM Online help enable our customers HIPAA compliance, provided the customer has an adequate compliance program and internal processes in place, including those described in the HIPAA Implementation Guidance.
- What does Office 365 do if there is a security incident involving a customer who has a signed HIPAA/HITECH Act BAA?
If Microsoft becomes aware of a security incident, we will both report this according to our standard notification procedures and, if the security incident involved HIPAA protected health information, we will also report the incident to the individual administrator that the customer has identified as its HIPAA administrative contact. Volume licensing customers should follow the instructions in the BAA document to provide their contact details for security incident notifications.
- I am not a U.S. HIPAA Covered Entity but would still like to sign a HIPAA/HITECH Act BAA, am I permitted to do so?
- Where can I find additional information on Microsoft’s approach to and implementation of HIPAA and the HITECH Act?