Microsoft Teams, and subsequently Microsoft, likely need no introduction. The popular collaboration tool launched in 2016, providing organizations with a powerful way to communicate and share information within the Microsoft ecosystem. Tools like Teams have only become more important post-COVID with teams being hybrid, decentralized, and distributed. Healthcare organizations specifically can benefit from Microsoft Teams as it’s an affordable platform that’s a no-brainer for organizations already leveraging Office 365 or other aspects of Microsoft’s services. In this post, we’ll cover how healthcare orgs can get started with Teams.
Is Microsoft Teams HIPAA compliant?
While there’s no such thing as HIPAA certification, Microsoft Teams as well as Office 365 are currently leveraged by organizations in a variety of regulated industries, including healthcare. This is because Microsoft services have undergone a variety of audits and certifications, including ISO/IEC 27001. However, organizations seeking to remain HIPAA compliant while using Microsoft Teams must meet and maintain a number of standards to protect PHI and measure risk.
What is needed to make Microsoft Teams HIPAA compliant?
Like all service providers, Microsoft requires HIPAA covered entities to sign and execute a business associate agreement (BAA) before they can use Microsoft Teams or Office 365. Microsoft’s BAA is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA.
In addition to signing and executing a BAA, HIPAA covered entities using Microsoft Teams must also implement a combination of policies, controls, and procedures to secure PHI and e-PHI to satisfy guidelines like the HIPAA Security Rule. The exact manner for meeting these requirements is up to the discretion of each organization; however, Microsoft does provide the Customer Considerations and Tools For HIPAA Compliance white paper for organizations using Teams which can be found here. Additionally, Microsoft also provides a secondary HIPAA compliance guide for Office 365 and Microsoft Teams which can be found here.
Best practices for HIPAA compliance on Microsoft Office 365 and Microsoft Teams
In the aforementioned documents, Microsoft highlights security activities as well as controls that may aid organizations in maintaining HIPAA compliance. Section 3 of the HIPAA Compliance Microsoft Office 365 and Microsoft Teams guide provides a policy guideline that maps important compliance activities to actions that can be taken in Office 365 (see an example below).
Some of the key compliance areas the document highlights are:
- Security management processes. These are procedures that help an organization establish and maintain security under normal operating conditions. These can include policy reviews, risk assessment reviews, and system activity reviews.
- Workforce security. These are policies and procedures that establish who can access e-PHI and when and where they can do so.
- Information access management. These are policies that establish what permission levels are required to access specific folders and content.
- Contingency Plan. This includes policies and procedures that help with security and operations during non-standard conditions. This can include disaster recovery and business continuity.
- Access controls. These are logical and physical controls ensuring that only authorized individuals can access designated workstations, devices, or systems.
- Transmission Security. This mainly refers to the protection of data in transit and at rest, mainly through the use of encryption.
The white paper specific to Microsoft teams provides a detailed overview of controls that organizations might find useful in helping them fulfill their obligations, these include (but are not limited to):
- Identity management. Identity management tools allow organizations to assign the appropriate resources to a user based on the level of access they’re allowed to have. We give an in-depth description of identity management here.
- Data Classification. Data classification allows for e-PHI to be identified, located within a specific system, and protected. We talk in detail about how cloud data loss prevention (DLP) can help accomplish this here.
- Activity audits/logs. In order to understand risk, especially risk over time, organizations must monitor activity happening in systems like Teams to ensure that inappropriate handling of e-PHI isn’t happening. Cloud DLP can aid with this as well.
Being HIPAA compliant means asking the right questions
Are you looking for other HIPAA-compliant SaaS applications to enable digital transformation within your healthcare organization? Grab a copy of our Guide to HIPAA Compliance Checklist. It has important details you’ll want to ask any SaaS provider as a HIPAA covered entity. You can also learn more about the HIPAA Security Rule requirements from our Ultimate HIPAA Security and Compliance FAQ, which can be read for free online.