Is Office 365 HIPAA Compliant? HIPAA & HITECH Act Blog by Jonathan P. Tomes with Guest Commentator Brent Sadler

JonTomesBrent Sadler c-1

The following question came through our website:


“I was wondering if you can answer a question. I realize email and EPHI is an ongoing question on whether it is safe or not. Are you all familiar with Office 365 business? They give a BAA automatically when signing up with their services. Of course they are a cloud provider and trust that they are HIPAA compliant like they say they are. Do you know if it is safe to send EPHI to an email account within the organization and within the same Office 365 account. If we accessed the email through the office 365 email website and it was accessed the same way, would it technically be protected because it was sent encrypted and remained on Microsoft secure servers?

“And we should not send EPHI to an external email address because we do not know what happens with the information once it is received by the other party?

“I know I did not ask this question too well but can you just clarify when it is safe to send an email with EPHI and meets HIPAA requirements or should it not be done at all?”

Jon Tomes here: I called on IT security expert Brent Sadler, of WCC Internet Technologies in Salina, Kansas, who provided the following answer:

“Microsoft© Office 365 now has the ability to be HIPAA compliant, but to really take advantage of it, you need a certain level of account.

“The data is encrypted at rest and in transit for email. So as a cloud email provider, any of the Office 365 accounts should be ok to use. Any emails transmitted between internal accounts meet the requirements, because they never leave the encrypted environment and are accessed only by authorized persons.

“When sending outside of Office 365, you still will require some sort of email encryption. You can add this encryption to your Office 365 as an option, or if you have purchased the E3 Enterprise account of Office 365, because it is included as part of the package.

“If you plan on sending EPHI internally, however, then you must also archive the messages and have a way to log and audit them. You can accomplish this requirement by adding on a third-party archiving service or adding on the one that Microsoft offers for Office 365.

“Again, the E3 level account includes unlimited archiving and the ability to search it, which is also required.”

Jon Tomes here again: Thanks to the reader who asked the question and to Brent Sadler for the helpful answer. Keep those cards and letters and emails and questions coming. We will pass along IT security questions to Brent Sadler and get the right answers for you. We enjoy answering your questions because doing so helps us know how to help you specifically, and not just in general, with your HIPAA compliance efforts.

Learn more about Office 365 in this Ingram Micro press release issued this week, which also quotes Brent Sadler, who is an Ingram Micro partner, “Microsoft Office 365 Now Available through the Ingram Micro Cloud Marketplace.”

seo by: k.c. seo